amadey | 248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
07-12-2021 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
Size

318KB
MD5

ad520d67d4b22933f9a253641fac3116
SHA1

3f31e6fba81906db984c1fec83013c50acfebab7
SHA256

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422
SHA512

2b82f10b8f4753e1ed41800f40a557dce65721f64f5ec7dc40bd26bedd387e65f8344bc278c94ca74a199b57afe3268bc77b750fde5bf3e513ea3b8d5e9e2be3

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

icedid

Campaign

3439131404

grendafolz.com

Extracted

Family

amadey

Version

2.86

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://195.133.18.126/ZIaKfGwC3P.php

Extracted

Family

redline

185.112.83.69:37026

Extracted

Family

redline

Botnet

cheat

185.112.83.21:21142

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1812-137-0x0000000000890000-0x00000000008F9000-memory.dmp	family_redline
behavioral1/memory/588-161-0x0000000000240000-0x00000000002F2000-memory.dmp	family_redline
behavioral1/memory/4272-260-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/4272-261-0x000000000041BCFE-mapping.dmp	family_redline
behavioral1/memory/4272-282-0x0000000005440000-0x0000000005A46000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\whw.exe	family_redline
C:\Users\Admin\AppData\Roaming\whw.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1788-231-0x00000000013C0000-0x000000000178B000-memory.dmp	family_arkei
behavioral1/memory/1788-233-0x00000000013C0000-0x000000000178B000-memory.dmp	family_arkei
behavioral1/memory/1788-236-0x00000000013C0000-0x000000000178B000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

35C2.exe35C2.exeAC3B.exeAEBC.exeBF97.exeCFC4.exeE67A.exetkools.exetkools.exe2113.exe417D.exetkools.exesafasf.exewhw.exe

pid	process
3164	35C2.exe
4068	35C2.exe
2808	AC3B.exe
1812	AEBC.exe
588	BF97.exe
2476	CFC4.exe
2076	E67A.exe
3564	tkools.exe
3376	tkools.exe
1788	2113.exe
2000	417D.exe
4880	tkools.exe
4936	safasf.exe
5000	whw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2113.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2113.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2113.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tkools.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation tkools.exe
Deletes itself 1 IoCs

Processes:

pid process

3028
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exe2113.exe

pid process

2564 regsvr32.exe
1788 2113.exe
1788 2113.exe
1788 2113.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2113.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2113.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

AEBC.exeBF97.exe2113.exe

pid process

1812 AEBC.exe
588 BF97.exe
1788 2113.exe
1788 2113.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	tkools.exe

pid	process
3028

pid	process
2564	regsvr32.exe
1788	2113.exe
1788	2113.exe
1788	2113.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2113.exe

pid	process
1812	AEBC.exe
588	BF97.exe
1788	2113.exe
1788	2113.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe35C2.exetkools.exe417D.exe

description	pid	process	target process
PID 2176 set thread context of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 3164 set thread context of 4068	3164	35C2.exe	35C2.exe
PID 3564 set thread context of 3376	3564	tkools.exe	tkools.exe
PID 2000 set thread context of 4272	2000	417D.exe	RegAsm.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

35C2.exe248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	35C2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	35C2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	35C2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe2113.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2113.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2113.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3748 schtasks.exe

pid	process
3748	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 7032c48995ebd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 10dfc259a3efd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{3E1D1C96-0737-4234-A39E-BEF7CBA98DD8}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = dfb5c68995ebd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000004aabd305e444092a2ca406c78702e45a2a73bb87387d168d194bd1c97f1ded1b53f2a400cf8f8ba544631dd1cee42485d96c68f3d5b0ea3d9350f6c7422cc9392e66178fb7531ebdaab726d2b33e1e8b67e7fe076e7ff6d99b1f	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe

pid	process
2672	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
2672	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe35C2.exe

pid process

2672 248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
4068 35C2.exe

pid	process
3028

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AEBC.exeMicrosoftEdge.exe

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	1812	AEBC.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeTakeOwnershipPrivilege	3028
Token: SeRestorePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	2448	MicrosoftEdge.exe
Token: SeDebugPrivilege	2448	MicrosoftEdge.exe
Token: SeDebugPrivilege	2448	MicrosoftEdge.exe
Token: SeDebugPrivilege	2448	MicrosoftEdge.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MicrosoftEdge.exe

pid process

3028
2448 MicrosoftEdge.exe

pid	process
3028
2448	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe35C2.exeCFC4.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 2176 wrote to memory of 2672	2176	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe	248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
PID 3028 wrote to memory of 3164	3028		35C2.exe
PID 3028 wrote to memory of 3164	3028		35C2.exe
PID 3028 wrote to memory of 3164	3028		35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3164 wrote to memory of 4068	3164	35C2.exe	35C2.exe
PID 3028 wrote to memory of 2808	3028		AC3B.exe
PID 3028 wrote to memory of 2808	3028		AC3B.exe
PID 3028 wrote to memory of 2808	3028		AC3B.exe
PID 3028 wrote to memory of 1812	3028		AEBC.exe
PID 3028 wrote to memory of 1812	3028		AEBC.exe
PID 3028 wrote to memory of 1812	3028		AEBC.exe
PID 3028 wrote to memory of 2564	3028		regsvr32.exe
PID 3028 wrote to memory of 2564	3028		regsvr32.exe
PID 3028 wrote to memory of 588	3028		BF97.exe
PID 3028 wrote to memory of 588	3028		BF97.exe
PID 3028 wrote to memory of 588	3028		BF97.exe
PID 3028 wrote to memory of 2476	3028		CFC4.exe
PID 3028 wrote to memory of 2476	3028		CFC4.exe
PID 3028 wrote to memory of 2476	3028		CFC4.exe
PID 2476 wrote to memory of 2264	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 2264	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 2264	2476	CFC4.exe	cmd.exe
PID 2264 wrote to memory of 2796	2264	cmd.exe	cmd.exe
PID 2264 wrote to memory of 2796	2264	cmd.exe	cmd.exe
PID 2264 wrote to memory of 2796	2264	cmd.exe	cmd.exe
PID 2264 wrote to memory of 3528	2264	cmd.exe	cacls.exe
PID 2264 wrote to memory of 3528	2264	cmd.exe	cacls.exe
PID 2264 wrote to memory of 3528	2264	cmd.exe	cacls.exe
PID 2476 wrote to memory of 3512	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 3512	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 3512	2476	CFC4.exe	cmd.exe
PID 3512 wrote to memory of 368	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 368	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 368	3512	cmd.exe	cacls.exe
PID 2476 wrote to memory of 1368	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 1368	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 1368	2476	CFC4.exe	cmd.exe
PID 1368 wrote to memory of 2328	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 2328	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 2328	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1484	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 1484	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 1484	1368	cmd.exe	cacls.exe
PID 3028 wrote to memory of 2076	3028		E67A.exe
PID 3028 wrote to memory of 2076	3028		E67A.exe
PID 3028 wrote to memory of 2076	3028		E67A.exe
PID 2476 wrote to memory of 3760	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 3760	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 3760	2476	CFC4.exe	cmd.exe
PID 2476 wrote to memory of 3564	2476	CFC4.exe	tkools.exe
PID 2476 wrote to memory of 3564	2476	CFC4.exe	tkools.exe
PID 2476 wrote to memory of 3564	2476	CFC4.exe	tkools.exe
PID 3760 wrote to memory of 2480	3760	cmd.exe	cacls.exe
PID 3760 wrote to memory of 2480	3760	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
"C:\Users\Admin\AppData\Local\Temp\248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe
"C:\Users\Admin\AppData\Local\Temp\248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2672

C:\Users\Admin\AppData\Local\Temp\35C2.exe
C:\Users\Admin\AppData\Local\Temp\35C2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\35C2.exe
C:\Users\Admin\AppData\Local\Temp\35C2.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4068

C:\Users\Admin\AppData\Local\Temp\AC3B.exe
C:\Users\Admin\AppData\Local\Temp\AC3B.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Temp\AEBC.exe
C:\Users\Admin\AppData\Local\Temp\AEBC.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5E1.dll
1⤵
- Loads dropped DLL
PID:2564

C:\Users\Admin\AppData\Local\Temp\BF97.exe
C:\Users\Admin\AppData\Local\Temp\BF97.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:588

C:\Users\Admin\AppData\Local\Temp\CFC4.exe
C:\Users\Admin\AppData\Local\Temp\CFC4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2796

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
3⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
3⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2328

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
3⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
3⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
3⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
4⤵
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
3⤵
- Creates scheduled task(s)
PID:3748

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3376

C:\Users\Admin\AppData\Local\Temp\E67A.exe
C:\Users\Admin\AppData\Local\Temp\E67A.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\2113.exe
C:\Users\Admin\AppData\Local\Temp\2113.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:960

C:\Users\Admin\AppData\Local\Temp\417D.exe
C:\Users\Admin\AppData\Local\Temp\417D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
PID:4272

C:\Users\Admin\AppData\Roaming\safasf.exe
"C:\Users\Admin\AppData\Roaming\safasf.exe"
3⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
PID:5000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4592

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1K9FN5JA\docons.e48f4bac[1].woff2
MD5
d8c9bad9e347a27dbc1c81520b2558cd

SHA1
d494ba6a92e2b3165f4475182f2a796ff6bbc89e

SHA256
331cd4ec79f010b95376078957fa8adc10fb8aba11b0d029b83b0994b466f59a

SHA512
0785cb9c0020381b819dc79e46bd3b588b200f6c5117794dca3392818a7eaecaf6c7107e1430709f185c25cbdd3e226dde9e800483ceb44bfcabe0efa5aaf7da

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RQU434MK\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RQU434MK\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RQU434MK\app-could-not-be-started[1].png
MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RQU434MK\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RQU434MK\repair-tool-recommended-changes[1].png
MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\44XDLMXW.cookie
MD5
7f6f14f8d790d8714173650902ed398e

SHA1
6197b32e049fc40a99c0f071c6477ca955ec5764

SHA256
e68b1eab605b80da8ddedcddc6e118e98896d5c6411221a85c7938cac39f2082

SHA512
39a3af7d666f9d1ec3960e29a1533ce5e94647977ece14d457a169ebd902e407c5e3a9883520b221a21f12486f1ee8c5129a7851e2e8bea921206e861b2421ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DNCPSCR2.cookie
MD5
d77b6669424b2f55126df84962e83bd7

SHA1
2060bdbad68e80cec9aab00091de6d44d4034fb7

SHA256
b7379e25600f53aa8a8959a3537b7424019649dfb4298e07af1238dda34e4c8a

SHA512
9c4f3730512c4a7488410c40843d44cf940b32ecce8ae0ade580f392fe0a1bfbe3307ab875038df7b57c12171a42c34e64de24bb035deb5d3e839a40d17c5dc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\WLPJ8UHB.cookie
MD5
2b0f3faae6817da398396445bd9f0740

SHA1
8cd658ce9cceb6b9555665b41f8383e685fe1620

SHA256
980684731bb422ef2bb5b62a98383dea9ba4e7d41fc143e1f5aa07703d64cfe6

SHA512
130bfd170a2a9326bdab81a6a6d10ab0f5b9b46f7c4b74ee91ca0e1b16b92b67c63d87f8cf0b95fda98abca9ae655713d01e210051f1ae6738a4310d41d615b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Z8CX1WT9.cookie
MD5
9bd78957bb554de76cda31e6258f7728

SHA1
eb1c83d33127cee652defcd264b4f7c39cdd7c08

SHA256
05cef9a5ab59aebfc7d37ff81db5f3408de57c1ab0f13bd0476a86abe99468b2

SHA512
6425950eaaa9428c2ba21730f439c56d183f54bb4c4ae9f7bdfac18e4e94fe1d6c35633134d6d2b488a02bcbe2a08ff34f3977a95179733a8907790e5b4e2aac

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
dcee8a9064c5587a0351faf687060456

SHA1
2c5205bd176af8da184a473c55c2737e5fa7124c

SHA256
f04a5e5cf5dde2f1d7584ae56dfecb1066f33cd18e02e9c694fd5b28d226d738

SHA512
504c9cff61fc3d1df2d6a6349550608325d25b97730f32a921b8d6b0abf1243df73e9e7677d3dcb655fb5e57d2a96eb0a7988a8ebbcc24ac0093c2a8532db837

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
6f3c8163868ae6b405708ba11419d694

SHA1
3fb35c42bd359640fad1b503443edeeeb00e0700

SHA256
ff8eb397bcb5ca3f90e837e57b4e77aa5cff378686383ac8ad1e8f778f03b0f3

SHA512
24de8b75cdad04f14852d6b759ef95a5d3fc222b003969d6ece1d4912d0925ad407af63497eaa4eea8e749ea903178ecdf80a920d8b6b85f58875a2cb213511b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
a4ceba041e5473eeeaff6c155d5ba834

SHA1
484546227129d6a6b8b6b310c1cb2f9d165b39e2

SHA256
10bd343c8c6814e74ef854bfe573044376e3be73ee4bde6fffb6947deb1f5768

SHA512
5158e8e632d4ab391a811caf3ab3417c3b0d01ecb18d85727619b7fc32d96e9ea66f0bd9d4a4c8c50649687254f20166661e2deefe451c1c5ce8aebde904ffc9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
3b17da5b55eb70a95b798cae7d51b882

SHA1
7696df300c53fcaf9bfeeb095d9259131e1d0484

SHA256
6d38f8c1aa9d47ee9d5ee5607b7d42e355f7d364ba9e2f7ce42a879dde8c15f0

SHA512
60d893a6fc9457415dc788dd87ad1ebbdbb063e95d4f8f99cd91ff9a7a1ddce1f5f7f0b9bec78013860d16e5e1f634c2268f66a8c7cc90005f9b76a118cf5a31

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
d7059bd0cb9898ceba5da8f13a11467f

SHA1
52ed7f0cbbaa5066902c6e01c7aef5784edefe46

SHA256
b81389b96f08e62912bc7a46efbc58c72415a36837f8bd1a401903c81e389574

SHA512
1490c8c33f4c0b923a0bc2875989c8372290a903e72b251af874c373afcd9cb645eec5975ee466ba3763468e183fd9a74ff0249fbbd965c6cb9d89f1bd6b03c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
7286adbfacb18371d02340704c460f3b

SHA1
4df2e133737ce15a49fe2615e068d11004ab0258

SHA256
38795124a9cbb04052171995aeec07f1407d211bfc1a854db9c95a005360c562

SHA512
34cddf8751ac274b0131e4d44fb3fa7a0c36b6c33c3d872029068621d320b371ee602508bf78b857254d8de103ce30fdc5fffcbe4a68a0cf880f99fd67cd21cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
7b9b90f6103b5ef1197417538f0584ed

SHA1
5a676315097a62a77186105c0cd54ee597ae52e7

SHA256
ea4d47652e7553b530061030d07d55dcfa35360628665809c729bf9105b5c956

SHA512
cb557ca1124b5d250d29945eab1f5bc7b38b484d8ac0dcb093c129e3269bab2275195e1d1ab4777423eab22e8a23ed5bc95226a48b78246f8d33915dae3fff05

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
32d40010f7ba6006c055182a79489724

SHA1
192fb1b4b53734400875daa28be309215ea6d8bb

SHA256
087c5c081053a290d7c5936ca1f00505d3da78cd3726b977456e69bb9d95c42e

SHA512
f99d5699924020e65dcb78630043d01850deafba3e76911ae97a57d8ffeec5a0ca67cd852389da48c6bb05aec0c570299e4b123fc1656d03c7a787179be5f8da

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
b519636425f9d3d66b5c9f4fc4acdace

SHA1
8e9c71c28f2324b9306c1b0d95e18ee4424e1cc0

SHA256
271141f01cd60d80d55362a0839c317b9adac2fba12c3787bd70bbb9c8ad4a48

SHA512
e956f7aae6821644c496fc66b90fc90b94b99c75927fc5ea04a326e85a52894aed7850a6b1fc0187dbd1e1159ac98d227e7a00ffdeab4c0fc7104e85194f49d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
a046207f6efcb3fbd0abcc3f8adc3f32

SHA1
3098ca690181e2b079f1b6d48c3457bd21c4c05f

SHA256
0126eb6c6819c7c8558c8c4e9ae7814c175c39bf3d9847ec52c385e194677162

SHA512
d7dbf70b2ee3c8f34811fe80fac3c728cc9694af4b44c9759c41a33ca28489973fb0edf4122fc5abbf1abbf55cd3478091b045d22b4d9c78e94d158fae60e70b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
30c6ae9f195cea41bc7b78a4939a0b63

SHA1
fec5324a6823cbab7db00cffa69e46879843764d

SHA256
58fdf21d4e816c90f78e7c0e9836ca3dd4e1ffeaf5d2c61afd8682157d60e1b1

SHA512
df76c37b53c26887e2d86fe3fec9344db8184139c2d50010dd0eb8b05ca37d28991e33a92489b61ba7a8a2c556b2ca71cd2df7dd8ef8e64a620c92b9e8fb8845

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
08e2a0ce2ce1fec006e85151fb2499c4

SHA1
f43e0efe8def3cac24461d31ddbd333b451d8e54

SHA256
08f59080c5593da14333eedee42f8f8994a7d669c51f4d64a2370833c0120198

SHA512
3c7e506dce93de9967c77991507a706b0aee114ccf50cee4da77cce95d89d9a3b20eefeb997f4cdd5c73e0bcf03dcd7933974d2a6c83c2569dc03ddcf1a4e461

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
62f011f3fb40f9931351e0688b20c5b5

SHA1
300a51a84b30bf7681166c7fbbac9de896a16422

SHA256
b1a8d07faf801b52a8116661d05834bf15a9b8b7c3def335e71e5c71ed667d77

SHA512
53e12f8de187102517a64d2108c54e9fe417d1ebcd6407242c2d47bf658d67e99ecfcfcdc5d7c5f30a1e756393f50a58ba07ef357ff3a6771bf63de3ce17d592

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
6e06c84113c25a81089c57888adbd3a8

SHA1
2d7f495b0979d1e0b06262c272fc81874a69b7ab

SHA256
f3edc2ffd34e39dadddab78e844547cb50362e636cbac913af66d90b2ffa5a35

SHA512
75ab84c379bf6fbb172b9c57477038697c4de31778eb3abf35d5334cb1f5b2910a833a13d4e1bb946d7de02c764e0dfa01e470d8aa502d24edd645c8c43d0d16

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
4c329cd8675c5ced18a8f3ac4ddea3e7

SHA1
f4e8e3ecb4d7136fd6d7b24801aa4f6b241f1b33

SHA256
af0d2825c89cd29505593f3bbc0da50807ae7ec1ab44147edb56f12efac59a29

SHA512
4c410c5cc8b16c37df97714f5bdab1d9d74eda76b41227e3f1ceae711d702d778b29445c30bb6a48d7509a434f05fc98ec68ac0c4e9c12517f4cd2e6f244d082

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
1819b7ef6e4b6866381e8107834e83ad

SHA1
c060f11a29da4b0a3fde13b31dd1e00c6557c6f8

SHA256
bfe00024caa309c67c26d2c1d6e1231196bed8b8af9fa815d8bef9c9c122c625

SHA512
20db42ea3deae24cf80ed2ebb6d521137d782b034ff06d1833f2ebacdf3fd35ad73febf1bf2e0cbfddbabc38b6cc07ae33860ec7ca106fe864fef98a53c4e9c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
5cda9284ab498ac01d7afb5a90b399d7

SHA1
95a0d1128dd99f80763090f7701fca859be792d0

SHA256
bc6fad7ac0934282d70afcc7c1515b766fe81a943a6772071d60155727e6abcd

SHA512
f6cc348fdaaf3e46f42f4cf2715d170e2868f46ff0a2e48cad4bb5edc20c3a06dfe16cde1a018e85a4f8b27ebf914c6c7062368bfe83026b0561082b22721a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2113.exe
MD5
dae9362b118838d3781ed2521e9a4b08

SHA1
cc5cb0931066b81ce1c07291262e95826bd1b515

SHA256
bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d

SHA512
d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2113.exe
MD5
dae9362b118838d3781ed2521e9a4b08

SHA1
cc5cb0931066b81ce1c07291262e95826bd1b515

SHA256
bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d

SHA512
d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C2.exe
MD5
ad520d67d4b22933f9a253641fac3116

SHA1
3f31e6fba81906db984c1fec83013c50acfebab7

SHA256
248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422

SHA512
2b82f10b8f4753e1ed41800f40a557dce65721f64f5ec7dc40bd26bedd387e65f8344bc278c94ca74a199b57afe3268bc77b750fde5bf3e513ea3b8d5e9e2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C2.exe
MD5
ad520d67d4b22933f9a253641fac3116

SHA1
3f31e6fba81906db984c1fec83013c50acfebab7

SHA256
248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422

SHA512
2b82f10b8f4753e1ed41800f40a557dce65721f64f5ec7dc40bd26bedd387e65f8344bc278c94ca74a199b57afe3268bc77b750fde5bf3e513ea3b8d5e9e2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C2.exe
MD5
ad520d67d4b22933f9a253641fac3116

SHA1
3f31e6fba81906db984c1fec83013c50acfebab7

SHA256
248d0b31555a82252db090a418901a096cebff2892229b96ca2c8461ac3ec422

SHA512
2b82f10b8f4753e1ed41800f40a557dce65721f64f5ec7dc40bd26bedd387e65f8344bc278c94ca74a199b57afe3268bc77b750fde5bf3e513ea3b8d5e9e2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\417D.exe
MD5
68043f66bd432924765f5db73538ac33

SHA1
7fd4af003c948d0b0b9e9048d872f0c2073973b1

SHA256
504a14e150a0ff204aa49e7a0489fa091774e8f863ff7770d3df0e3de4ddf876

SHA512
8a9fc04a76eb07d35977aab80d06f1a9cd8533aa9309c5969e2d7e3c00b8d1d4f92468736a167362f415509fdcd0cef363b9179fce3616526fe2c31790f49291

Download Submit
C:\Users\Admin\AppData\Local\Temp\417D.exe
MD5
68043f66bd432924765f5db73538ac33

SHA1
7fd4af003c948d0b0b9e9048d872f0c2073973b1

SHA256
504a14e150a0ff204aa49e7a0489fa091774e8f863ff7770d3df0e3de4ddf876

SHA512
8a9fc04a76eb07d35977aab80d06f1a9cd8533aa9309c5969e2d7e3c00b8d1d4f92468736a167362f415509fdcd0cef363b9179fce3616526fe2c31790f49291

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC3B.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC3B.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEBC.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEBC.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5E1.dll
MD5
c1c8061651af3227cd9173799f6298ee

SHA1
8ac8a10cf704a02211308884a163e540f064c50a

SHA256
fd14b7d9083d6ab89c8cb4972e39fbb33d789339cd653cd79ba60fef8613421f

SHA512
ca002363390096f4ab4f84e308a8a172a0c2048943541c43c779c7079be44edf18d789d45a66b5d78a2ff9b1c74c9b6dc065dd06c3b042d856b19a84d9f62871

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF97.exe
MD5
6beb00521639f19ea32c64a0799c79b4

SHA1
2d1993a460759b547655480c6aa1f709ca398f34

SHA256
7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b

SHA512
6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF97.exe
MD5
6beb00521639f19ea32c64a0799c79b4

SHA1
2d1993a460759b547655480c6aa1f709ca398f34

SHA256
7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b

SHA512
6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC4.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC4.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E67A.exe
MD5
94996679b1127144fa594a7bbace0100

SHA1
ac2f4db2025cb074f462e3ac7bbeadca12784eb2

SHA256
ea1c45c03a1e539f0bddb675416be1f9b3d49b35ab27c2a8d0d27eaff2fc8341

SHA512
cddbced089d6f83cdf101c8b643e206a2b97808af6bb6e1197fc57850c6d0a6328b926db5f29e2d3afb14c628c40a6073df35e61d2ec4295ff42927834963891

Download Submit
C:\Users\Admin\AppData\Local\Temp\E67A.exe
MD5
94996679b1127144fa594a7bbace0100

SHA1
ac2f4db2025cb074f462e3ac7bbeadca12784eb2

SHA256
ea1c45c03a1e539f0bddb675416be1f9b3d49b35ab27c2a8d0d27eaff2fc8341

SHA512
cddbced089d6f83cdf101c8b643e206a2b97808af6bb6e1197fc57850c6d0a6328b926db5f29e2d3afb14c628c40a6073df35e61d2ec4295ff42927834963891

Download Submit
C:\Users\Admin\AppData\Roaming\safasf.exe
MD5
eb8c7dbf71a662e3771496a956e6a973

SHA1
e6badc656d030610c6135e46f93078d67c49a61f

SHA256
86ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a

SHA512
5fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42

Download Submit
C:\Users\Admin\AppData\Roaming\safasf.exe
MD5
eb8c7dbf71a662e3771496a956e6a973

SHA1
e6badc656d030610c6135e46f93078d67c49a61f

SHA256
86ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a

SHA512
5fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
fdd98e89e4170be0546c8a7671c6c6da

SHA1
29fb344428847de5240d174d43f72c7f18e4b5cf

SHA256
14b51b7a2002fb13bbb344d6c59b0ff96f032cf94fc28a7242feff55d2ea9e07

SHA512
0e0f77f9004439afd6cc95dda1c35ee4f4c482b3130381269ff87efe6d2a5c23cf344dc5be2e925f9f6f1a89f501b7dbe885f40935c41129f5e72c92db2cce34

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
fdd98e89e4170be0546c8a7671c6c6da

SHA1
29fb344428847de5240d174d43f72c7f18e4b5cf

SHA256
14b51b7a2002fb13bbb344d6c59b0ff96f032cf94fc28a7242feff55d2ea9e07

SHA512
0e0f77f9004439afd6cc95dda1c35ee4f4c482b3130381269ff87efe6d2a5c23cf344dc5be2e925f9f6f1a89f501b7dbe885f40935c41129f5e72c92db2cce34

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\B5E1.dll
MD5
c1c8061651af3227cd9173799f6298ee

SHA1
8ac8a10cf704a02211308884a163e540f064c50a

SHA256
fd14b7d9083d6ab89c8cb4972e39fbb33d789339cd653cd79ba60fef8613421f

SHA512
ca002363390096f4ab4f84e308a8a172a0c2048943541c43c779c7079be44edf18d789d45a66b5d78a2ff9b1c74c9b6dc065dd06c3b042d856b19a84d9f62871

Download Submit
memory/368-189-0x0000000000000000-mapping.dmp

Download
memory/588-173-0x0000000076310000-0x0000000077658000-memory.dmp

Filesize
19.3MB

Download
memory/588-174-0x0000000002DD0000-0x0000000002E15000-memory.dmp

Filesize
276KB

Download
memory/588-175-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/588-177-0x000000006FED0000-0x000000006FF1B000-memory.dmp

Filesize
300KB

Download
memory/588-165-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/588-158-0x0000000000000000-mapping.dmp

Download
memory/588-164-0x0000000074AF0000-0x0000000074BE1000-memory.dmp

Filesize
964KB

Download
memory/588-161-0x0000000000240000-0x00000000002F2000-memory.dmp

Filesize
712KB

Download
memory/588-167-0x0000000071C60000-0x0000000071CE0000-memory.dmp

Filesize
512KB

Download
memory/588-172-0x0000000075860000-0x0000000075DE4000-memory.dmp

Filesize
5.5MB

Download
memory/588-163-0x00000000754A0000-0x0000000075662000-memory.dmp

Filesize
1.8MB

Download
memory/588-162-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/1336-202-0x0000000000000000-mapping.dmp

Download
memory/1368-190-0x0000000000000000-mapping.dmp

Download
memory/1484-192-0x0000000000000000-mapping.dmp

Download
memory/1788-236-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-219-0x0000000000000000-mapping.dmp

Download
memory/1788-233-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-235-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-234-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-232-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-231-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-230-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-229-0x00000000754A0000-0x0000000075662000-memory.dmp

Filesize
1.8MB

Download
memory/1788-228-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1788-227-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-226-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-225-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-224-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/1788-223-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1788-222-0x00000000013C0000-0x000000000178B000-memory.dmp

Filesize
3.8MB

Download
memory/1812-215-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1812-145-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/1812-140-0x0000000074AF0000-0x0000000074BE1000-memory.dmp

Filesize
964KB

Download
memory/1812-146-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/1812-147-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1812-139-0x00000000754A0000-0x0000000075662000-memory.dmp

Filesize
1.8MB

Download
memory/1812-131-0x0000000000000000-mapping.dmp

Download
memory/1812-214-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/1812-213-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1812-212-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1812-211-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1812-210-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1812-209-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/1812-143-0x0000000071C60000-0x0000000071CE0000-memory.dmp

Filesize
512KB

Download
memory/1812-141-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1812-152-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1812-138-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1812-137-0x0000000000890000-0x00000000008F9000-memory.dmp

Filesize
420KB

Download
memory/1812-135-0x0000000002A30000-0x0000000002A75000-memory.dmp

Filesize
276KB

Download
memory/1812-153-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1812-154-0x0000000075860000-0x0000000075DE4000-memory.dmp

Filesize
5.5MB

Download
memory/1812-155-0x0000000076310000-0x0000000077658000-memory.dmp

Filesize
19.3MB

Download
memory/1812-157-0x000000006FED0000-0x000000006FF1B000-memory.dmp

Filesize
300KB

Download
memory/1812-156-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2000-243-0x000000001BDC0000-0x000000001BDC1000-memory.dmp

Filesize
4KB

Download
memory/2000-244-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/2000-242-0x000000001BF20000-0x000000001BF22000-memory.dmp

Filesize
8KB

Download
memory/2000-240-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2000-237-0x0000000000000000-mapping.dmp

Download
memory/2076-208-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2076-207-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/2076-193-0x0000000000000000-mapping.dmp

Download
memory/2076-206-0x00000000008A1000-0x00000000008F0000-memory.dmp

Filesize
316KB

Download
memory/2176-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2176-115-0x0000000000851000-0x0000000000862000-memory.dmp

Filesize
68KB

Download
memory/2264-184-0x0000000000000000-mapping.dmp

Download
memory/2328-191-0x0000000000000000-mapping.dmp

Download
memory/2476-183-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2476-178-0x0000000000000000-mapping.dmp

Download
memory/2476-182-0x0000000002090000-0x00000000020C9000-memory.dmp

Filesize
228KB

Download
memory/2480-201-0x0000000000000000-mapping.dmp

Download
memory/2564-148-0x0000000000000000-mapping.dmp

Download
memory/2564-151-0x0000000002540000-0x00000000025A3000-memory.dmp

Filesize
396KB

Download
memory/2672-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2672-118-0x0000000000402F47-mapping.dmp

Download
memory/2796-185-0x0000000000000000-mapping.dmp

Download
memory/2808-144-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2808-136-0x0000000002120000-0x00000000021AF000-memory.dmp

Filesize
572KB

Download
memory/2808-128-0x0000000000000000-mapping.dmp

Download
memory/3028-119-0x0000000002160000-0x0000000002176000-memory.dmp

Filesize
88KB

Download
memory/3028-127-0x0000000002830000-0x0000000002846000-memory.dmp

Filesize
88KB

Download
memory/3164-120-0x0000000000000000-mapping.dmp

Download
memory/3376-217-0x00000000004764DE-mapping.dmp

Download
memory/3376-216-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3512-188-0x0000000000000000-mapping.dmp

Download
memory/3528-186-0x0000000000000000-mapping.dmp

Download
memory/3564-205-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3564-199-0x00000000007D8000-0x00000000007F6000-memory.dmp

Filesize
120KB

Download
memory/3564-197-0x0000000000000000-mapping.dmp

Download
memory/3564-204-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/3748-203-0x0000000000000000-mapping.dmp

Download
memory/3760-196-0x0000000000000000-mapping.dmp

Download
memory/4068-125-0x0000000000402F47-mapping.dmp

Download
memory/4272-261-0x000000000041BCFE-mapping.dmp

Download
memory/4272-260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4272-282-0x0000000005440000-0x0000000005A46000-memory.dmp

Filesize
6.0MB

Download
memory/4880-303-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4936-324-0x000002C24A605000-0x000002C24A607000-memory.dmp

Filesize
8KB

Download
memory/4936-314-0x000002C24A600000-0x000002C24A602000-memory.dmp

Filesize
8KB

Download
memory/4936-322-0x000002C24A604000-0x000002C24A605000-memory.dmp

Filesize
4KB

Download
memory/4936-323-0x000002C24A602000-0x000002C24A604000-memory.dmp

Filesize
8KB

Download
memory/4936-296-0x0000000000000000-mapping.dmp

Download
memory/5000-301-0x0000000000000000-mapping.dmp

Download
memory/5000-311-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download