asyncrat | e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2022 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dll Injector V1 Full_nls..scr
Size

681KB
MD5

0cfa5f7c008e3dc2df275a99aef9cbbb
SHA1

51ebdbc8a8227667b20b5cb40f17ff1bb8550098
SHA256

e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
SHA512

bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e

Score

10^/10

asyncrat blacknet securityhealth service windows defendersmartscreen windowssystem guardruntime xsfcrg persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindowsSystem GuardRuntime

217.64.31.3:8437

Mutex

WindowsSystem GuardRuntime

Attributes

delay
3
install
false
install_file
WindowsSystem Guard Runtime.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealth Service

217.64.31.3:8437

Mutex

SecurityHealth Service

Attributes

delay
3
install
false
install_file
SecurityHealth Service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

XSFcRG

http://fakirlerclub.xyz/blacknet

Mutex

BN[ac95ac7ad595b3dbd5ad73e4bf7daac9]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Windows DefenderSmartScreen

217.64.31.3:9742

Mutex

Windows DefenderSmartScreen

Attributes

delay
1
install
false
install_file
Windows DefenderSmartScreen
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

PURE.EXEVALSINKI PURE.EXEGRIM PURE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	PURE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	VALSINKI PURE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	GRIM PURE.EXE

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4992-177-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4308-189-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/5536-301-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

tmp2FE9.tmp.exeGRIM ORG START.EXEGRIM PURE.EXEPURE.EXESOFTICA.EXEVALSINKI DATAEN.EXEVALSINKI PURE.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeprocessHUdVS.exeprocessHUdVS.exeprocessHUVS.exeprocessHUVS.exe

pid	process
2256	tmp2FE9.tmp.exe
3332	GRIM ORG START.EXE
552	GRIM PURE.EXE
2600	PURE.EXE
1960	SOFTICA.EXE
4952	VALSINKI DATAEN.EXE
3572	VALSINKI PURE.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
4904	DefenderProtector.exe
1528	WindowDefenderSmartScreen.exe
5240	Windows DefenderSmartScreen.exe
6064	processHUdVS.exe
6124	processHUdVS.exe
1228	processHUVS.exe
4472	processHUVS.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp2FE9.tmp.exeGRIM ORG START.EXEWindowDefenderSmartScreen.exeprocessHUdVS.exeWindows DefenderSmartScreen.exeprocessHUVS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	tmp2FE9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	GRIM ORG START.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	WindowDefenderSmartScreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	processHUdVS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Windows DefenderSmartScreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	processHUVS.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exemsedge.exemsedge.exeSOFTICA.EXEpowershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows DefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\Windows DefenderSmartScreen.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	SOFTICA.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSystem GuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSystem GuardRuntime\\WindowsSystem GuardRuntime.exe"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoDefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\WindowDefenderSmartScreen.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 7 IoCs

Processes:

Dll Injector V1 Full_nls..scrWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEPURE.EXEGRIM PURE.EXEVALSINKI PURE.EXEWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exe

description	pid	process	target process
PID 1968 set thread context of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1956 set thread context of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 2600 set thread context of 4308	2600	PURE.EXE	RegAsm.exe
PID 552 set thread context of 1300	552	GRIM PURE.EXE	RegAsm.exe
PID 3572 set thread context of 4064	3572	VALSINKI PURE.EXE	RegAsm.exe
PID 1528 set thread context of 4812	1528	WindowDefenderSmartScreen.exe	InstallUtil.exe
PID 5240 set thread context of 5536	5240	Windows DefenderSmartScreen.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4068 schtasks.exe
2112 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2772 timeout.exe

pid	process
4068	schtasks.exe
2112	schtasks.exe

pid	process
2772	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

Dll Injector V1 Full_nls..scrOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	Dll Injector V1 Full_nls..scr
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2232 PING.EXE
1328 PING.EXE
3164 PING.EXE
3376 PING.EXE
3116 PING.EXE
4844 PING.EXE

pid	process
2232	PING.EXE
1328	PING.EXE
3164	PING.EXE
3376	PING.EXE
3116	PING.EXE
4844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dll Injector V1 Full_nls..scrWINDOWS DEFENDERSMARTSCREEN2.EXEVALSINKI DATAEN.EXEGRIM ORG START.EXEPURE.EXEVALSINKI PURE.EXEGRIM PURE.EXE

pid	process
1968	Dll Injector V1 Full_nls..scr
1968	Dll Injector V1 Full_nls..scr
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
3332	GRIM ORG START.EXE
3332	GRIM ORG START.EXE
4952	VALSINKI DATAEN.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
2600	PURE.EXE
2600	PURE.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
4952	VALSINKI DATAEN.EXE
3572	VALSINKI PURE.EXE
3572	VALSINKI PURE.EXE
2600	PURE.EXE
2600	PURE.EXE
3572	VALSINKI PURE.EXE
3572	VALSINKI PURE.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
552	GRIM PURE.EXE
552	GRIM PURE.EXE
552	GRIM PURE.EXE
552	GRIM PURE.EXE
3332	GRIM ORG START.EXE
3332	GRIM ORG START.EXE
3332	GRIM ORG START.EXE
3332	GRIM ORG START.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3572	VALSINKI PURE.EXE
3572	VALSINKI PURE.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
3672	WINDOWS DEFENDERSMARTSCREEN2.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4828 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exemsedge.exe

pid	process
408	msedge.exe
408	msedge.exe
408	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

Dll Injector V1 Full_nls..scrAppLaunch.exeGRIM PURE.EXEPURE.EXEVALSINKI PURE.EXEVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEGRIM ORG START.EXESOFTICA.EXERegAsm.exeRegAsm.exeDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeInstallUtil.exeprocessHUdVS.exeprocessHUdVS.exeprocessHUVS.exeprocessHUVS.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1968	Dll Injector V1 Full_nls..scr
Token: SeDebugPrivilege	2052	AppLaunch.exe
Token: SeDebugPrivilege	552	GRIM PURE.EXE
Token: SeDebugPrivilege	2600	PURE.EXE
Token: SeDebugPrivilege	3572	VALSINKI PURE.EXE
Token: SeDebugPrivilege	4952	VALSINKI DATAEN.EXE
Token: SeDebugPrivilege	3672	WINDOWS DEFENDERSMARTSCREEN2.EXE
Token: SeDebugPrivilege	3332	GRIM ORG START.EXE
Token: SeDebugPrivilege	1960	SOFTICA.EXE
Token: SeDebugPrivilege	4064	RegAsm.exe
Token: SeDebugPrivilege	1300	RegAsm.exe
Token: SeDebugPrivilege	4904	DefenderProtector.exe
Token: SeDebugPrivilege	1528	WindowDefenderSmartScreen.exe
Token: SeDebugPrivilege	5240	Windows DefenderSmartScreen.exe
Token: SeDebugPrivilege	4812	InstallUtil.exe
Token: SeDebugPrivilege	6064	processHUdVS.exe
Token: SeDebugPrivilege	6124	processHUdVS.exe
Token: SeDebugPrivilege	1228	processHUVS.exe
Token: SeDebugPrivilege	4472	processHUVS.exe
Token: SeDebugPrivilege	5536	InstallUtil.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exemsedge.exe

pid process

408 msedge.exe
408 msedge.exe
408 msedge.exe
2540 msedge.exe
2540 msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exeRegAsm.exeInstallUtil.exe

pid	process
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4064	RegAsm.exe
4064	RegAsm.exe
4812	InstallUtil.exe
4812	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dll Injector V1 Full_nls..scrAppLaunch.exetmp2FE9.tmp.exeWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEConhost.exeVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEPURE.EXEVALSINKI PURE.EXE

description	pid	process	target process
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1968 wrote to memory of 2052	1968	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 2052 wrote to memory of 2256	2052	AppLaunch.exe	tmp2FE9.tmp.exe
PID 2052 wrote to memory of 2256	2052	AppLaunch.exe	tmp2FE9.tmp.exe
PID 2052 wrote to memory of 2256	2052	AppLaunch.exe	tmp2FE9.tmp.exe
PID 2256 wrote to memory of 3332	2256	tmp2FE9.tmp.exe	GRIM ORG START.EXE
PID 2256 wrote to memory of 3332	2256	tmp2FE9.tmp.exe	GRIM ORG START.EXE
PID 2256 wrote to memory of 552	2256	tmp2FE9.tmp.exe	GRIM PURE.EXE
PID 2256 wrote to memory of 552	2256	tmp2FE9.tmp.exe	GRIM PURE.EXE
PID 2256 wrote to memory of 552	2256	tmp2FE9.tmp.exe	GRIM PURE.EXE
PID 2256 wrote to memory of 2600	2256	tmp2FE9.tmp.exe	PURE.EXE
PID 2256 wrote to memory of 2600	2256	tmp2FE9.tmp.exe	PURE.EXE
PID 2256 wrote to memory of 2600	2256	tmp2FE9.tmp.exe	PURE.EXE
PID 2256 wrote to memory of 1960	2256	tmp2FE9.tmp.exe	SOFTICA.EXE
PID 2256 wrote to memory of 1960	2256	tmp2FE9.tmp.exe	SOFTICA.EXE
PID 2256 wrote to memory of 1960	2256	tmp2FE9.tmp.exe	SOFTICA.EXE
PID 2256 wrote to memory of 4952	2256	tmp2FE9.tmp.exe	VALSINKI DATAEN.EXE
PID 2256 wrote to memory of 4952	2256	tmp2FE9.tmp.exe	VALSINKI DATAEN.EXE
PID 2256 wrote to memory of 4952	2256	tmp2FE9.tmp.exe	VALSINKI DATAEN.EXE
PID 2256 wrote to memory of 3572	2256	tmp2FE9.tmp.exe	VALSINKI PURE.EXE
PID 2256 wrote to memory of 3572	2256	tmp2FE9.tmp.exe	VALSINKI PURE.EXE
PID 2256 wrote to memory of 3572	2256	tmp2FE9.tmp.exe	VALSINKI PURE.EXE
PID 2256 wrote to memory of 3672	2256	tmp2FE9.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 2256 wrote to memory of 3672	2256	tmp2FE9.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 2256 wrote to memory of 3672	2256	tmp2FE9.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 2256 wrote to memory of 1956	2256	tmp2FE9.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 2256 wrote to memory of 1956	2256	tmp2FE9.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 2256 wrote to memory of 1956	2256	tmp2FE9.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 1956 wrote to memory of 3312	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 1956 wrote to memory of 3312	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 1956 wrote to memory of 3312	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 1956 wrote to memory of 3976	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	Conhost.exe
PID 1956 wrote to memory of 3976	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	Conhost.exe
PID 1956 wrote to memory of 3976	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	Conhost.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 1956 wrote to memory of 4992	1956	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 3976 wrote to memory of 4068	3976	Conhost.exe	schtasks.exe
PID 3976 wrote to memory of 4068	3976	Conhost.exe	schtasks.exe
PID 3976 wrote to memory of 4068	3976	Conhost.exe	schtasks.exe
PID 4952 wrote to memory of 3416	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 4952 wrote to memory of 3416	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 4952 wrote to memory of 3416	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 3672 wrote to memory of 4388	3672	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 3672 wrote to memory of 4388	3672	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 3672 wrote to memory of 4388	3672	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 2600 wrote to memory of 4308	2600	PURE.EXE	RegAsm.exe
PID 2600 wrote to memory of 4308	2600	PURE.EXE	RegAsm.exe
PID 2600 wrote to memory of 4308	2600	PURE.EXE	RegAsm.exe
PID 4952 wrote to memory of 3296	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 4952 wrote to memory of 3296	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 4952 wrote to memory of 3296	4952	VALSINKI DATAEN.EXE	cmd.exe
PID 3572 wrote to memory of 4928	3572	VALSINKI PURE.EXE	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr
"C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr" /S
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
"C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"' & exit
5⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"'
6⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87DD.tmp.bat""
5⤵
PID:4688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:2772

C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
"C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Roaming\PURE.EXE
"C:\Users\Admin\AppData\Roaming\PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:4308

C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
"C:\Users\Admin\AppData\Roaming\SOFTICA.EXE"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
PID:3416

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 7
6⤵
- Runs ping.exe
PID:3164

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:4040

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE" "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
PID:3296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:3116

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:2232

C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
PID:4388

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
6⤵
- Runs ping.exe
PID:3376

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:2880

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE" "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
PID:3716

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 19
6⤵
- Runs ping.exe
PID:4844

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 19
6⤵
- Runs ping.exe
PID:1328

C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5536

C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5588

C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe"' -PropertyType 'String'
5⤵
- Adds Run key to start application
PID:3312

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
5⤵
PID:4992

C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://5appdata5/
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0x94,0x124,0x7ffd1eb546f8,0x7ffd1eb54708,0x7ffd1eb54718
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
2⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:8
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://5appdata5/
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1eb546f8,0x7ffd1eb54708,0x7ffd1eb54718
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
2⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
2⤵
PID:5164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e0652753ffba69e75a830c7b31362548

SHA1
2daede2707cf9cdea1926a862ca398384a5c55aa

SHA256
60b78bd274e3250335941adfd6db0a94d39a2fe0891467f7d8af4a5ca38d1ae0

SHA512
38816ecffe0dc699e7ace9c3dc7e4a787741458f2dd2381c8541049f7a6331ea96d047be93a5e0a7fd5a0c5fc30eabf73d44ac5e77441d03d4d070f19f3ea5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
c8291dd9a651b06da2afa75cd9d2cb1e

SHA1
b2670e333fdc2233f2f0d81e2b89ced12145b459

SHA256
8d211e6d97084105648815d3ecc23ca3d9ceba6b33f2a96ce3cfba4a8e026918

SHA512
84d78e37b06417e82e1685838315e1c3760d54da9ffe995449e2ab6945f70a0fa2a182972e3979a7639626f1b3c9f945817b3fe13a53d4385ebe72e7ae717253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
885a7a29cc6ba0651938d22686592889

SHA1
6db07b9daf26a8362587d94288058354a9b1fd1a

SHA256
7919ea0f66833f1ccf0821e62f118bdae3877bc12427c702ebc4c11468a42f78

SHA512
60d381f05beffa5c217f93f448847fa4dfc588c6c8e6678d7d40cb11479ea27cf02a90f4df6d49511873ccf522c77e695c90be9306da9cd8f276bffa0c8be7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\index
Filesize
256KB

MD5
de0c31c710bc5e2faf2da212c26058af

SHA1
96b64e52db8f7a5beb5e151d1410bcfd05c18626

SHA256
7a6592eacf58578b0954cb025263bdef9eeb59fb1ed33b5e488ecd9d6b6025d2

SHA512
aa9381d949fc4f19e778ea4ff5e2991b2a51da7445ce4214015387af34e2495093b3bd7ba936762f2054f932c7b4844bec1aef6367f8fcefaba97d19c262585f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index
Filesize
256KB

MD5
cc94f9fe5cf60ffdcdaa182efe218a4e

SHA1
cb78214ec56ecef59e4554eb26a73d89bcb46642

SHA256
3df46d4b0d3b330b56ead6ea31601aac3975db2d17e6a727e3fad1903e4d0135

SHA512
5bc17b487ea6d9158de7e06e869a6c26bf16071ca084958f3d420b2fe76c376402b38dc124bd3f88f2bbea48ccc99b2f5eacd1200c4c838237b7add821acc9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5a15df6825fe6d7855b655a753033ad6

SHA1
8e05e92bd013b851dc4ea7ad6e8ea682d0c37f44

SHA256
888a77dd8ff563164625ec6275048fb39e4813169cb47050f712968fe8dc9c67

SHA512
c52f05b91287d301f62c66157928244b82f6a5f9d908ed6ce476967b6094add98f487a9233912015d17bebe88022492e394418a2549423021daa41c012b784e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
f0e03ef5030c94ee408b59f55f9ef1ce

SHA1
f36ddd69a832eed1616f9d72740afade393ac4f0

SHA256
253285f26092ce49af17f2968e4d866597ddb67d17d191912a6defb76443e282

SHA512
40735cb2f9c20a819357966fe76c04113b3847698ae64ea94ee4995e4095053357122e3b62a501e35d8d957d4ef4453694aba6117e94890c3d2ac8dc9add71ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13305683163296147
Filesize
785B

MD5
a317381b9485543562d9bf0b8a741d3e

SHA1
e42ba74bcfbf0459a64bda77a996cbc948790908

SHA256
56a75706187b0aa02d6f2281a2948dae5cfe07420718269200afb76647ad1f1d

SHA512
f14992698166ced6d87103053e9987d51ed932e08d0c9665ef892fb513928e5172ba77ff9a4a640d518f7f0cf827d0443f7fe20d649542e526cd648d94d36134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
fe892cdbae95b5418e2e563d63773446

SHA1
082a78e266832b34dd0209af70d5409540a5482e

SHA256
1f29d0508c38f9fe0cdc7a35a350f3ad1d2affd03b6e171c68640e901d2aa6f7

SHA512
15ce0896a54c82258c1ddb5a6218932cbf8b7cd5f3ad8c3d16c5928d2dad76b9694478c6b0162d87dd8339c04ff39bc400fc0311ae68392e5d3a7241ab44a17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
a27cd9bd9ffe1bad6cb19ebe5b2d7070

SHA1
e0aa7610e906b5a6b3f40b52ff3f8557ea90ba3a

SHA256
319b7d5d97dc4d8816c91494907071a209dcbad924117d66c982fcacbbc33ce1

SHA512
ceaececffec5c0fe2e90b1c9102bbdc400cfcd1e35a00256ddd84763e0579269f28d06a1b487ab97dcef83c52f3b7e8813aa9914e242df880a05453bd0067bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites
Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
8d509b927423a4e1a1bd485ccf9100b1

SHA1
e22d4796068ed2d2f16f709c9b2d1e6a7564388a

SHA256
8eb67287ed8e8444474600a9f192ebd9feaa1247ea6e3663a459f5653271f95f

SHA512
59337643f6f284565c9e9c15b272dbabf9bad487bd01e911ebb290393e75cec790d2aeb1bb394a5b984cea90ee8595ab432c76b84f1e4e258cd90c6612b094ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
2345d445dbf90f95fa964c1d62918fd2

SHA1
dffbcea71a6c64298a7a33d7957f1544302e8251

SHA256
450099ec17f02c6aab7bd3cabe8252acca8c95417f546b274fee8baf9e8f5708

SHA512
1041959edf713bd8b5fa9bdc9ea41a60d13b56263395abc8b2ccd6baf52f8707f3612c2b7ad04b8ca9a7537cc9ebede891f183a337e9732d621006765c684ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
a2e38da5a8cae419c938e08839839b8a

SHA1
671e25cd0362b6eaaaeebd7ea5aa295b69c42511

SHA256
98f4678556b076ccf553a40793c318e80c946d12c2e21d38c12acce28fd8c8cf

SHA512
7a4c7217dd36e493a41d188b54576d4fe42ab01dacc3f872d0a4154665f7c9da4f8ec1df0599c4c6c8b5ef299ef5a2a507732a384e6a5da6489366b927118e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
3a4925bf43d88091631c6f9df6ecbb61

SHA1
6a4c5417862bb3abcc667de18928141d178dde37

SHA256
04d7f3bd3183efb4c32acb4726d419258b8ea83f5b33a4a564af542714ff65e1

SHA512
c095a8205dedcd2a972d90544d651c4e7f79bd68607b4e04041d7850126698810cd47f77abc53ec1d16671718d2cbbaf05222faacc97c14c9729a910fb7bdd30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637968029868719380
Filesize
4KB

MD5
70e5d578452f7d2d1a0e342b9d62b75c

SHA1
b04eb46ef045c4f52f982beff72b40cf9327f3e4

SHA256
88e1772f03d809f7285455a24af2ef3525e2062a42b5b36df0b2a1a4b72d7f9d

SHA512
3f076e56fb9d780290a8cd6f75cf59d61dc1804dcd0a14b9278eb42644bd6aa037d4722213173ba7c27c47a06a733a9bb4c486af8b08443ea7c9dd325dc4b99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87DD.tmp.bat
Filesize
161B

MD5
0f60eee144ddb69e69b9a2801a6da0c4

SHA1
5e049d5868aa0d05d4fa8a7ee778f3126b21943d

SHA256
1d1dee34b03649975715c3c94c5c602a4cf6e9130c2dddf0c95ff0c906ea74e9

SHA512
6d52d638b9220db2e776ebc73ec3d05bd62cd973251c816630b17dced9589c36849db8b1b764b9ac4279521a1db71d84826e57221416df272d9b4dfe73c52e1f

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exe
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exe
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
\??\pipe\LOCAL\crashpad_2540_QDPSXBRGNKDAZPNH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_408_ZTBSENFOWSCDIVZE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-278-0x0000000000000000-mapping.dmp

Download
memory/552-143-0x0000000000000000-mapping.dmp

Download
memory/552-146-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/792-280-0x0000000000000000-mapping.dmp

Download
memory/1144-188-0x0000000000000000-mapping.dmp

Download
memory/1300-193-0x0000000000000000-mapping.dmp

Download
memory/1300-196-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1328-236-0x0000000000000000-mapping.dmp

Download
memory/1352-219-0x0000000000000000-mapping.dmp

Download
memory/1408-282-0x0000000000000000-mapping.dmp

Download
memory/1408-190-0x0000000000000000-mapping.dmp

Download
memory/1444-230-0x0000000000000000-mapping.dmp

Download
memory/1528-215-0x0000000000000000-mapping.dmp

Download
memory/1528-218-0x0000000000DA0000-0x0000000000E42000-memory.dmp

Filesize
648KB

Download
memory/1608-202-0x0000000000000000-mapping.dmp

Download
memory/1712-228-0x0000000000000000-mapping.dmp

Download
memory/1956-167-0x0000000000000000-mapping.dmp

Download
memory/1956-172-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/1960-151-0x0000000000000000-mapping.dmp

Download
memory/1960-158-0x0000000000B50000-0x0000000000F4C000-memory.dmp

Filesize
4.0MB

Download
memory/1968-132-0x0000000000DD0000-0x0000000000E80000-memory.dmp

Filesize
704KB

Download
memory/1968-133-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/2044-222-0x0000000000000000-mapping.dmp

Download
memory/2052-135-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2052-134-0x0000000000000000-mapping.dmp

Download
memory/2112-207-0x0000000000000000-mapping.dmp

Download
memory/2232-209-0x0000000000000000-mapping.dmp

Download
memory/2256-136-0x0000000000000000-mapping.dmp

Download
memory/2600-147-0x0000000000000000-mapping.dmp

Download
memory/2600-150-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2772-206-0x0000000000000000-mapping.dmp

Download
memory/2880-214-0x0000000000000000-mapping.dmp

Download
memory/3116-194-0x0000000000000000-mapping.dmp

Download
memory/3164-191-0x0000000000000000-mapping.dmp

Download
memory/3204-232-0x0000000000000000-mapping.dmp

Download
memory/3296-184-0x0000000000000000-mapping.dmp

Download
memory/3312-174-0x0000000000000000-mapping.dmp

Download
memory/3332-169-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-204-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-139-0x0000000000000000-mapping.dmp

Download
memory/3332-142-0x0000022095D90000-0x0000022095DDC000-memory.dmp

Filesize
304KB

Download
memory/3332-201-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-192-0x0000000000000000-mapping.dmp

Download
memory/3416-181-0x0000000000000000-mapping.dmp

Download
memory/3420-235-0x0000000000000000-mapping.dmp

Download
memory/3480-269-0x0000000000000000-mapping.dmp

Download
memory/3572-161-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/3572-155-0x0000000000000000-mapping.dmp

Download
memory/3672-180-0x00000000067A0000-0x00000000067AA000-memory.dmp

Filesize
40KB

Download
memory/3672-179-0x000000000AD40000-0x000000000ADD2000-memory.dmp

Filesize
584KB

Download
memory/3672-163-0x0000000000000000-mapping.dmp

Download
memory/3672-173-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/3716-199-0x0000000000000000-mapping.dmp

Download
memory/3976-175-0x0000000000000000-mapping.dmp

Download
memory/4040-208-0x0000000000000000-mapping.dmp

Download
memory/4064-195-0x0000000000000000-mapping.dmp

Download
memory/4064-198-0x0000000005470000-0x00000000054C6000-memory.dmp

Filesize
344KB

Download
memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4068-178-0x0000000000000000-mapping.dmp

Download
memory/4308-189-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4308-185-0x0000000000000000-mapping.dmp

Download
memory/4388-225-0x0000000000000000-mapping.dmp

Download
memory/4388-182-0x0000000000000000-mapping.dmp

Download
memory/4564-276-0x0000000000000000-mapping.dmp

Download
memory/4688-203-0x0000000000000000-mapping.dmp

Download
memory/4712-221-0x0000000000000000-mapping.dmp

Download
memory/4744-284-0x0000000000000000-mapping.dmp

Download
memory/4812-226-0x0000000000000000-mapping.dmp

Download
memory/4812-298-0x0000000007930000-0x0000000007996000-memory.dmp

Filesize
408KB

Download
memory/4824-257-0x0000000000000000-mapping.dmp

Download
memory/4844-200-0x0000000000000000-mapping.dmp

Download
memory/4904-213-0x00007FFD1ED80000-0x00007FFD1F841000-memory.dmp

Filesize
10.8MB

Download
memory/4904-233-0x00007FFD1ED80000-0x00007FFD1F841000-memory.dmp

Filesize
10.8MB

Download
memory/4904-210-0x0000000000000000-mapping.dmp

Download
memory/4928-187-0x0000000000000000-mapping.dmp

Download
memory/4952-154-0x0000000000000000-mapping.dmp

Download
memory/4952-166-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/4952-168-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/4952-162-0x00000000006B0000-0x0000000000752000-memory.dmp

Filesize
648KB

Download
memory/4992-176-0x0000000000000000-mapping.dmp

Download
memory/4992-177-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5048-251-0x0000000000000000-mapping.dmp

Download
memory/5088-237-0x0000000000000000-mapping.dmp

Download
memory/5148-286-0x0000000000000000-mapping.dmp

Download
memory/5240-288-0x0000000000C00000-0x0000000000C96000-memory.dmp

Filesize
600KB

Download
memory/5240-287-0x0000000000000000-mapping.dmp

Download
memory/5412-289-0x0000000000000000-mapping.dmp

Download
memory/5536-290-0x0000000000000000-mapping.dmp

Download
memory/5536-301-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5556-292-0x0000000000000000-mapping.dmp

Download
memory/5628-294-0x0000000000000000-mapping.dmp

Download
memory/5644-296-0x0000000000000000-mapping.dmp

Download
memory/6064-299-0x0000000000000000-mapping.dmp

Download
memory/6064-300-0x0000000000C10000-0x0000000000C2A000-memory.dmp

Filesize
104KB

Download