amadey | 4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
Size

186KB
MD5

8635292b56f59b5416370b5b21a763ad
SHA1

e3938cbff4a2f2a7c3dccb8c0869a1c978823f83
SHA256

4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c
SHA512

d1a0c5d2b9d0d06695ca5a7b39b88a6baffc5e32f0376f5a7eb22973ff5742ca14900a878cd6d8ceb9043a866658fc53fb4a4165327978abca37b128b089013f
SSDEEP

3072:1EKd7wz7ax5LsyXV4Wvjj551RbqMHbBIFuygEx+9IaSX2iRgg:Rd7XLdXeMBYMHlIFR09JV

Score

10^/10

amadey dcrat djvu redline smokeloader vidar 517 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.tcbu
offline_id
JBPpFMvWlKMsKlJRmPJl5e09RSnYrRJya1oX8xt1
payload_url
http://uaery.top/dl/build2.exe

http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-bpYXr2m3kI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0606Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

55.8

Botnet

517

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
517

Extracted

Family

redline

185.215.113.83:60722

Attributes

auth_value
674feb1d15af397f9322eb62587035b3

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exeCFC9.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9fe8c3e8-20a2-48f2-851b-d45351737a06\\CFC9.exe\" --AutoStart"	CFC9.exe
4752	schtasks.exe
3196	schtasks.exe
4688	schtasks.exe
5372	schtasks.exe

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3092-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3092-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2540-151-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral1/memory/3092-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3092-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3092-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4804-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4804-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4804-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4804-224-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4888-133-0x0000000002970000-0x0000000002979000-memory.dmp	family_smokeloader
behavioral1/memory/4256-175-0x00000000005A0000-0x00000000005A9000-memory.dmp	family_smokeloader
behavioral1/memory/3760-178-0x00000000004E0000-0x00000000004E9000-memory.dmp	family_smokeloader
behavioral1/memory/5412-412-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5076-244-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

CFC9.exeCFC9.exe2750.exe2A20.exeCFC9.exeCFC9.exebuild2.exebuild2.exebuild3.exeAEF1.exeBDF6.exeC653.exeCFF9.exerovwer.exeD847.exeE22B.exe1.exerovwer.exegfifftemstsca.exehhifftebrave.exeofg.exechrome.exebrave.exeC653.exe

pid	process
2540	CFC9.exe
3092	CFC9.exe
4256	2750.exe
3760	2A20.exe
3052	CFC9.exe
4804	CFC9.exe
3304	build2.exe
2344	build2.exe
1244	build3.exe
4964	AEF1.exe
4932	BDF6.exe
4540	C653.exe
4004	CFF9.exe
3980	rovwer.exe
1756	D847.exe
2660	E22B.exe
3456	1.exe
4980	rovwer.exe
4300	gfiffte
5040	mstsca.exe
2604	hhiffte
1360	brave.exe
3796	ofg.exe
5464	chrome.exe
5624	brave.exe
5412	C653.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CFF9.exerovwer.exebrave.exeCFC9.exeCFC9.exebuild2.exeC653.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	CFF9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	CFC9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	CFC9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C653.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

4744 regsvr32.exe
2344 build2.exe
2344 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4240 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4744	regsvr32.exe
2344	build2.exe
2344	build2.exe

pid	process
4240	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C653.exeCFC9.exerovwer.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwejqxttng = "\"C:\\Users\\Admin\\AppData\\Roaming\\Raglf\\Iwejqxttng.exe\""	C653.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9fe8c3e8-20a2-48f2-851b-d45351737a06\\CFC9.exe\" --AutoStart"	CFC9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000197001\\1.exe"	rovwer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.2ip.ua
18 api.2ip.ua

flow	ioc
34	api.2ip.ua
18	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

CFC9.exeCFC9.exebuild2.exeBDF6.exeC653.exe

description	pid	process	target process
PID 2540 set thread context of 3092	2540	CFC9.exe	CFC9.exe
PID 3052 set thread context of 4804	3052	CFC9.exe	CFC9.exe
PID 3304 set thread context of 2344	3304	build2.exe	build2.exe
PID 4932 set thread context of 5076	4932	BDF6.exe	vbc.exe
PID 4540 set thread context of 5412	4540	C653.exe	C653.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\71077390-d21d-44d2-b72c-a27672602417.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221123064019.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4340	3760	WerFault.exe	2A20.exe
4832	4932	WerFault.exe	BDF6.exe
856	4004	WerFault.exe	CFF9.exe
2928	3456	WerFault.exe	1.exe
2384	4964	WerFault.exe	AEF1.exe
4716	4980	WerFault.exe	rovwer.exe
3660	4300	WerFault.exe	gfiffte

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2750.exeC653.exe4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exehhiffte

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C653.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C653.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2750.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhiffte
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhiffte
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhiffte

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3196 schtasks.exe
4688 schtasks.exe
5372 schtasks.exe
4752 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2308 timeout.exe

pid	process
3196	schtasks.exe
4688	schtasks.exe
5372	schtasks.exe
4752	schtasks.exe

pid	process
2308	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe

pid	process
4888	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
4888	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560
2560

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2560

pid	process
2560

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe2750.exeexplorer.exehhiffteexplorer.exeexplorer.exe

pid	process
4888	4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
2560
2560
2560
2560
4256	2750.exe
2560
2560
2560
2560
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2560
2560
2560
2560
2560
2560
2560
2560
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2560
2560
2144	explorer.exe
2144	explorer.exe
2560
2560
2144	explorer.exe
2144	explorer.exe
2560
2560
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2604	hhiffte
1948	explorer.exe
1948	explorer.exe
2724	explorer.exe
2724	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4408 msedge.exe
4408 msedge.exe
4408 msedge.exe
4408 msedge.exe

pid	process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AEF1.exeC653.exepowershell.exevbc.exe1.exebrave.exe

description	pid	process
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeDebugPrivilege	4964	AEF1.exe
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeDebugPrivilege	4540	C653.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeDebugPrivilege	5076	vbc.exe
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeDebugPrivilege	3456	1.exe
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560
Token: SeDebugPrivilege	1360	brave.exe
Token: SeShutdownPrivilege	2560
Token: SeCreatePagefilePrivilege	2560

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

msedge.exe

pid process

4408 msedge.exe
2560
2560
4408 msedge.exe
2560
4408 msedge.exe
2560
2560
2560
2560
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2560

pid	process
4408	msedge.exe
2560
2560
4408	msedge.exe
2560
4408	msedge.exe
2560
2560
2560
2560

pid	process
2560

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeCFC9.exeCFC9.exeCFC9.exeCFC9.exebuild2.exebuild3.exe

description	pid	process	target process
PID 2560 wrote to memory of 1716	2560		regsvr32.exe
PID 2560 wrote to memory of 1716	2560		regsvr32.exe
PID 1716 wrote to memory of 4744	1716	regsvr32.exe	regsvr32.exe
PID 1716 wrote to memory of 4744	1716	regsvr32.exe	regsvr32.exe
PID 1716 wrote to memory of 4744	1716	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2540	2560		CFC9.exe
PID 2560 wrote to memory of 2540	2560		CFC9.exe
PID 2560 wrote to memory of 2540	2560		CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2540 wrote to memory of 3092	2540	CFC9.exe	CFC9.exe
PID 2560 wrote to memory of 4256	2560		2750.exe
PID 2560 wrote to memory of 4256	2560		2750.exe
PID 2560 wrote to memory of 4256	2560		2750.exe
PID 2560 wrote to memory of 3760	2560		2A20.exe
PID 2560 wrote to memory of 3760	2560		2A20.exe
PID 2560 wrote to memory of 3760	2560		2A20.exe
PID 2560 wrote to memory of 2088	2560		explorer.exe
PID 2560 wrote to memory of 2088	2560		explorer.exe
PID 2560 wrote to memory of 2088	2560		explorer.exe
PID 2560 wrote to memory of 2088	2560		explorer.exe
PID 2560 wrote to memory of 2084	2560		explorer.exe
PID 2560 wrote to memory of 2084	2560		explorer.exe
PID 2560 wrote to memory of 2084	2560		explorer.exe
PID 3092 wrote to memory of 4240	3092	CFC9.exe	icacls.exe
PID 3092 wrote to memory of 4240	3092	CFC9.exe	icacls.exe
PID 3092 wrote to memory of 4240	3092	CFC9.exe	icacls.exe
PID 3092 wrote to memory of 3052	3092	CFC9.exe	CFC9.exe
PID 3092 wrote to memory of 3052	3092	CFC9.exe	CFC9.exe
PID 3092 wrote to memory of 3052	3092	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 3052 wrote to memory of 4804	3052	CFC9.exe	CFC9.exe
PID 4804 wrote to memory of 3304	4804	CFC9.exe	build2.exe
PID 4804 wrote to memory of 3304	4804	CFC9.exe	build2.exe
PID 4804 wrote to memory of 3304	4804	CFC9.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 3304 wrote to memory of 2344	3304	build2.exe	build2.exe
PID 4804 wrote to memory of 1244	4804	CFC9.exe	build3.exe
PID 4804 wrote to memory of 1244	4804	CFC9.exe	build3.exe
PID 4804 wrote to memory of 1244	4804	CFC9.exe	build3.exe
PID 1244 wrote to memory of 4752	1244	build3.exe	schtasks.exe
PID 1244 wrote to memory of 4752	1244	build3.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe
"C:\Users\Admin\AppData\Local\Temp\4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4888

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C894.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C894.dll
2⤵
- Loads dropped DLL
PID:4744

C:\Users\Admin\AppData\Local\Temp\CFC9.exe
C:\Users\Admin\AppData\Local\Temp\CFC9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\CFC9.exe
C:\Users\Admin\AppData\Local\Temp\CFC9.exe
2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9fe8c3e8-20a2-48f2-851b-d45351737a06" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4240

C:\Users\Admin\AppData\Local\Temp\CFC9.exe
"C:\Users\Admin\AppData\Local\Temp\CFC9.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\CFC9.exe
"C:\Users\Admin\AppData\Local\Temp\CFC9.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe
"C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe
"C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe" & exit
7⤵
PID:2272

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2308

C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build3.exe
"C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4752

C:\Users\Admin\AppData\Local\Temp\2750.exe
C:\Users\Admin\AppData\Local\Temp\2750.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4256

C:\Users\Admin\AppData\Local\Temp\2A20.exe
C:\Users\Admin\AppData\Local\Temp\2A20.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 448
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3760 -ip 3760
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\AEF1.exe
C:\Users\Admin\AppData\Local\Temp\AEF1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1728
2⤵
- Program crash
PID:2384

C:\Users\Admin\AppData\Local\Temp\BDF6.exe
C:\Users\Admin\AppData\Local\Temp\BDF6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Users\Admin\AppData\Local\Google\brave.exe
"C:\Users\Admin\AppData\Local\Google\brave.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
4⤵
PID:5516

C:\Users\Admin\AppData\Local\Google\ofg.exe
"C:\Users\Admin\AppData\Local\Google\ofg.exe"
3⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\cmd.exe
cmd.exe /C schtasks /create /tn OzqLuwrCYU /tr C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
PID:5312

C:\Windows\system32\schtasks.exe
schtasks /create /tn OzqLuwrCYU /tr C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:5372

C:\Users\Admin\AppData\Local\Google\chrome.exe
"C:\Users\Admin\AppData\Local\Google\chrome.exe"
3⤵
- Executes dropped EXE
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 360
2⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4932 -ip 4932
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\C653.exe
C:\Users\Admin\AppData\Local\Temp\C653.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\C653.exe
C:\Users\Admin\AppData\Local\Temp\C653.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5412

C:\Users\Admin\AppData\Local\Temp\CFF9.exe
C:\Users\Admin\AppData\Local\Temp\CFF9.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4004

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:3980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3248

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:2196

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2472

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1352
4⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 892
2⤵
- Program crash
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
1⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\D847.exe
C:\Users\Admin\AppData\Local\Temp\D847.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\E22B.exe
C:\Users\Admin\AppData\Local\Temp\E22B.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mintall.site/
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffad9d146f8,0x7ffad9d14708,0x7ffad9d14718
3⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
3⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
3⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
3⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 /prefetch:8
3⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
3⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 /prefetch:8
3⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
3⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff718825460,0x7ff718825470,0x7ff718825480
4⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10694056167873869408,6384903200870329547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
3⤵
PID:5964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2724

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3456 -ip 3456
1⤵
PID:8

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4964 -ip 4964
1⤵
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2416

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 424
2⤵
- Program crash
PID:4716

C:\Users\Admin\AppData\Roaming\gfiffte
C:\Users\Admin\AppData\Roaming\gfiffte
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 456
2⤵
- Program crash
PID:3660

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- DcRat
- Creates scheduled task(s)
PID:4688

C:\Users\Admin\AppData\Roaming\hhiffte
C:\Users\Admin\AppData\Roaming\hhiffte
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4980 -ip 4980
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4300 -ip 4300
1⤵
PID:3796

C:\Users\Admin\AppData\Roaming\brave.exe
C:\Users\Admin\AppData\Roaming\brave.exe
1⤵
- Executes dropped EXE
PID:5624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe

Filesize
397KB

MD5
724c04ee1bf4c248712b47cbb65e7782

SHA1
1292f72116df9bf615ca61ef016cef4e20a024b5

SHA256
84ef700ffb4e47c5b24e58d773284c9eeb03de5065dfabdcd34f883693facd7a

SHA512
63472e9fa979d5796d8705626b7a00ab77e4c3327a63e71079c2f1dd515e829e43821aba47e052949c7038cacedf207c1aa01b273db8c74583b58c2afd3c6ee5

Download Submit
C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe

Filesize
397KB

MD5
724c04ee1bf4c248712b47cbb65e7782

SHA1
1292f72116df9bf615ca61ef016cef4e20a024b5

SHA256
84ef700ffb4e47c5b24e58d773284c9eeb03de5065dfabdcd34f883693facd7a

SHA512
63472e9fa979d5796d8705626b7a00ab77e4c3327a63e71079c2f1dd515e829e43821aba47e052949c7038cacedf207c1aa01b273db8c74583b58c2afd3c6ee5

Download Submit
C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build2.exe

Filesize
397KB

MD5
724c04ee1bf4c248712b47cbb65e7782

SHA1
1292f72116df9bf615ca61ef016cef4e20a024b5

SHA256
84ef700ffb4e47c5b24e58d773284c9eeb03de5065dfabdcd34f883693facd7a

SHA512
63472e9fa979d5796d8705626b7a00ab77e4c3327a63e71079c2f1dd515e829e43821aba47e052949c7038cacedf207c1aa01b273db8c74583b58c2afd3c6ee5

Download Submit
C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\5582bf7a-0303-4cd5-83c0-b1fab20d6997\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\9fe8c3e8-20a2-48f2-851b-d45351737a06\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Google\brave.exe

Filesize
477KB

MD5
4c09337e40dea7aba80ed676184c4620

SHA1
d46ddb6494b2531b4b7941271ce94fcdd0b84ec8

SHA256
41aef2c784c011d31b304374647a0dfee1249dd241fb8e79e6ccc3bde866a806

SHA512
d338ba7b3dad8a0d6994f2a669b6de1782b9aa7f0cad9df4ee3c084058c3c82f440f5208ea6c8110804dbc91e96b3b11f92c96fec7172aaf651674f674ddc306

Download Submit
C:\Users\Admin\AppData\Local\Google\brave.exe

Filesize
477KB

MD5
4c09337e40dea7aba80ed676184c4620

SHA1
d46ddb6494b2531b4b7941271ce94fcdd0b84ec8

SHA256
41aef2c784c011d31b304374647a0dfee1249dd241fb8e79e6ccc3bde866a806

SHA512
d338ba7b3dad8a0d6994f2a669b6de1782b9aa7f0cad9df4ee3c084058c3c82f440f5208ea6c8110804dbc91e96b3b11f92c96fec7172aaf651674f674ddc306

Download Submit
C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
2eb1f0cd73ab52f0434a1e8575553014

SHA1
8354dd14ddb0252a7ec0228f711fd8a326809f55

SHA256
31e2c3cbcaae0c132f191eb1cfa0079020a89843ef63c181bd3d4b1dddc09189

SHA512
02e041745c261b53401fc2f0132db6215a0e898a9298419f0e612efd2a6d180fe8e49201d16680ca60eaada432ca1b70d441c84af87c41f95062212799f8cf93

Download Submit
C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
2eb1f0cd73ab52f0434a1e8575553014

SHA1
8354dd14ddb0252a7ec0228f711fd8a326809f55

SHA256
31e2c3cbcaae0c132f191eb1cfa0079020a89843ef63c181bd3d4b1dddc09189

SHA512
02e041745c261b53401fc2f0132db6215a0e898a9298419f0e612efd2a6d180fe8e49201d16680ca60eaada432ca1b70d441c84af87c41f95062212799f8cf93

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\brave.exe.log

Filesize
621B

MD5
84ea4e5aedfded07182bbc69fa81eaff

SHA1
d82d998cb3d655c49dba4fb923a3fc360a285ea2

SHA256
299408135f6f265d6db7d42d5454a9be41bea2f72d8bb438d835de7c88c77653

SHA512
7f654f76cb24399a8e8d35c2f5571b1560b7cbc38656ff687c88bdae4dff49437cc218653441380247b6de484be6557b62b138bb725f8a94b4e776175c979a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe

Filesize
1001KB

MD5
ccd3f85a630d162bfd8dad660cc8997d

SHA1
d42a07f962906538b9d35d5a25aa4b48a23d8e55

SHA256
b54a9566733ad279a9214beaa8cfec9dd62bbf7dd237e37ca3b9cc5786fda5db

SHA512
ad8163467d87ce50a59aeab7b4aba14218962de74fdaa960feaff9e3a6df5ce91279a9a2ea974a3d7d1f16dfbdb6d60abb3a085c497e70c4a1c33fb6d2896ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000197001\1.exe

Filesize
1001KB

MD5
ccd3f85a630d162bfd8dad660cc8997d

SHA1
d42a07f962906538b9d35d5a25aa4b48a23d8e55

SHA256
b54a9566733ad279a9214beaa8cfec9dd62bbf7dd237e37ca3b9cc5786fda5db

SHA512
ad8163467d87ce50a59aeab7b4aba14218962de74fdaa960feaff9e3a6df5ce91279a9a2ea974a3d7d1f16dfbdb6d60abb3a085c497e70c4a1c33fb6d2896ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2750.exe

Filesize
301KB

MD5
80434f105bb3cf893257a01f03481743

SHA1
08636e3b88d95d73cd6a5864eb1ddee358d21a6f

SHA256
88421f19706a8251ea5165193e26e048384807ec9291f9d0baab8fadd42c5193

SHA512
e63d26faaeeb795528cc4e4dfb49e69a1f5112dbd0c24239e294aa70fd82cd8588a83ae4cd8e26c4eee568ef438033ac3af8467188aa53181633399bcc402dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2750.exe

Filesize
301KB

MD5
80434f105bb3cf893257a01f03481743

SHA1
08636e3b88d95d73cd6a5864eb1ddee358d21a6f

SHA256
88421f19706a8251ea5165193e26e048384807ec9291f9d0baab8fadd42c5193

SHA512
e63d26faaeeb795528cc4e4dfb49e69a1f5112dbd0c24239e294aa70fd82cd8588a83ae4cd8e26c4eee568ef438033ac3af8467188aa53181633399bcc402dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A20.exe

Filesize
301KB

MD5
af97408f0d80dd216d699c6755b7ec54

SHA1
afb49e74a833ecf46e835b70d25719494a37645f

SHA256
56240fe8492997585aa2c4867142712660722a70416d979fb80de9471afdfdc2

SHA512
bbe87dee88a8be24ad3134f7013fa0b39398670a18ea2e2124d3d6908cfc1de7ab8d71b5c2a53b1a47ec64195e2757332bd1a752a8c0dc2f25cccd84b0f356df

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A20.exe

Filesize
301KB

MD5
af97408f0d80dd216d699c6755b7ec54

SHA1
afb49e74a833ecf46e835b70d25719494a37645f

SHA256
56240fe8492997585aa2c4867142712660722a70416d979fb80de9471afdfdc2

SHA512
bbe87dee88a8be24ad3134f7013fa0b39398670a18ea2e2124d3d6908cfc1de7ab8d71b5c2a53b1a47ec64195e2757332bd1a752a8c0dc2f25cccd84b0f356df

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
245KB

MD5
326ad4a79483de66026904096ce24566

SHA1
1d123539a4957604a7c6ce437a54e01257e65c99

SHA256
4b6328e853a41e7cf829e1f50eb78dbceb62445f47db2495a661253a0c55ad9e

SHA512
734d6e56f395818ced988871c4f059d4b7912dd3124cf1ed9fead810aa24687b1f4005f9556dbe4cbc7d90a89c9b2223220238b7600140a72b47d47254f38b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
245KB

MD5
326ad4a79483de66026904096ce24566

SHA1
1d123539a4957604a7c6ce437a54e01257e65c99

SHA256
4b6328e853a41e7cf829e1f50eb78dbceb62445f47db2495a661253a0c55ad9e

SHA512
734d6e56f395818ced988871c4f059d4b7912dd3124cf1ed9fead810aa24687b1f4005f9556dbe4cbc7d90a89c9b2223220238b7600140a72b47d47254f38b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
245KB

MD5
326ad4a79483de66026904096ce24566

SHA1
1d123539a4957604a7c6ce437a54e01257e65c99

SHA256
4b6328e853a41e7cf829e1f50eb78dbceb62445f47db2495a661253a0c55ad9e

SHA512
734d6e56f395818ced988871c4f059d4b7912dd3124cf1ed9fead810aa24687b1f4005f9556dbe4cbc7d90a89c9b2223220238b7600140a72b47d47254f38b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEF1.exe

Filesize
411KB

MD5
86ef88beebad882ec04179465376bd5e

SHA1
ed4e9cc1e8e352e3c8e98b411f079a3907900624

SHA256
557903d594c164a7827607ea6057441a86680161322d64ed41837362a62d131b

SHA512
87a9af9111ff2dcb40ff7fa3a72b693e87da6ec358ee33ac2c9c6b9d59cb817e1a0e6335d2d5fb9dcb8a24e81b8ea1103061d6b845853d4f87f1b2095911efd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEF1.exe

Filesize
411KB

MD5
86ef88beebad882ec04179465376bd5e

SHA1
ed4e9cc1e8e352e3c8e98b411f079a3907900624

SHA256
557903d594c164a7827607ea6057441a86680161322d64ed41837362a62d131b

SHA512
87a9af9111ff2dcb40ff7fa3a72b693e87da6ec358ee33ac2c9c6b9d59cb817e1a0e6335d2d5fb9dcb8a24e81b8ea1103061d6b845853d4f87f1b2095911efd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDF6.exe

Filesize
184KB

MD5
7948e53bfe696978be69634910837747

SHA1
3e22908919f69cc11c4501f150fe30477dcf4a28

SHA256
57d9ff5e64e4a6c02f85523e8e93b11736320b8adff6fabbed4200113fd2c6d7

SHA512
7b1b66e9788bc98a865c91f703c72688f45e2ebbd03373fef36e6668d8d8f38f0e236b3ddd04c40385158824685ebe5d0c3badec366454dbbdeb512667d7a965

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDF6.exe

Filesize
184KB

MD5
7948e53bfe696978be69634910837747

SHA1
3e22908919f69cc11c4501f150fe30477dcf4a28

SHA256
57d9ff5e64e4a6c02f85523e8e93b11736320b8adff6fabbed4200113fd2c6d7

SHA512
7b1b66e9788bc98a865c91f703c72688f45e2ebbd03373fef36e6668d8d8f38f0e236b3ddd04c40385158824685ebe5d0c3badec366454dbbdeb512667d7a965

Download Submit
C:\Users\Admin\AppData\Local\Temp\C653.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\C653.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\C894.dll

Filesize
1.9MB

MD5
8d2e2757346dbdf908122486f3cab6a3

SHA1
88f3c445c2ef037486ec97316fdf0f0b661acecc

SHA256
afdd29bc5ebd926ebcd6c43ece8d082f1b0523dd302ec2c2bc20c7638cf2b647

SHA512
aea613e9aa7714860208106c10dde014a3decb54c6f988a2ef43f72bc75681fedc4a6e5ce379f8ea96520f36a6eb2f60f72f3e6fe447f85c625e65c591c29677

Download Submit
C:\Users\Admin\AppData\Local\Temp\C894.dll

Filesize
1.9MB

MD5
8d2e2757346dbdf908122486f3cab6a3

SHA1
88f3c445c2ef037486ec97316fdf0f0b661acecc

SHA256
afdd29bc5ebd926ebcd6c43ece8d082f1b0523dd302ec2c2bc20c7638cf2b647

SHA512
aea613e9aa7714860208106c10dde014a3decb54c6f988a2ef43f72bc75681fedc4a6e5ce379f8ea96520f36a6eb2f60f72f3e6fe447f85c625e65c591c29677

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFC9.exe

Filesize
815KB

MD5
ee641cca83b469e64ed481c311e8de18

SHA1
a3f994d05afc7a161d3ddc920e2d2daf46f75530

SHA256
6cefd94139212911a3a619406812b628133e9ccd718aea839d1723df4c2e9fff

SHA512
3134ba030119bcd2d3cb6f21a72335ed0398fecba46b953eadad766b9ec3e542bd14ea2df43c2e78971c15d934aed4c27ddbeb64dc9c7d28ef537bc82d846fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF9.exe

Filesize
245KB

MD5
326ad4a79483de66026904096ce24566

SHA1
1d123539a4957604a7c6ce437a54e01257e65c99

SHA256
4b6328e853a41e7cf829e1f50eb78dbceb62445f47db2495a661253a0c55ad9e

SHA512
734d6e56f395818ced988871c4f059d4b7912dd3124cf1ed9fead810aa24687b1f4005f9556dbe4cbc7d90a89c9b2223220238b7600140a72b47d47254f38b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF9.exe

Filesize
245KB

MD5
326ad4a79483de66026904096ce24566

SHA1
1d123539a4957604a7c6ce437a54e01257e65c99

SHA256
4b6328e853a41e7cf829e1f50eb78dbceb62445f47db2495a661253a0c55ad9e

SHA512
734d6e56f395818ced988871c4f059d4b7912dd3124cf1ed9fead810aa24687b1f4005f9556dbe4cbc7d90a89c9b2223220238b7600140a72b47d47254f38b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\D847.exe

Filesize
2.4MB

MD5
1f251e2b0f7e54d14417a8161b896d41

SHA1
7a48128a77b57b839a3b508dfa379e579de7760d

SHA256
b83609f9653e171358f4e99c5c2590196949be9ec9aa02fc467bd7120539a257

SHA512
f9727347652bf93d816aef139a96ad31a2a3bece00ce458306164d19f7d07c74be3c67b16d23f7dd8c60c01eaa5a94266d714b23c1baf5521c9e91bfe91dd0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E22B.exe

Filesize
4KB

MD5
fdcc79f58c90c1fb71fbd718a66d70e0

SHA1
bb62a5a3b0de02418bb78eb5884457f44d177512

SHA256
70dcaaa56728ccb0f21bd129c04826068167aed0bc3168e866eb959fd8c1a1d0

SHA512
a4c93aef3abf295f2a3a026d46cf0c0b969f9d87182af423f07b8d690d14e0ae6ae1dae6330e8455c8452f1ecbef660a722c3f913a2c92e7650960a24857c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E22B.exe

Filesize
4KB

MD5
fdcc79f58c90c1fb71fbd718a66d70e0

SHA1
bb62a5a3b0de02418bb78eb5884457f44d177512

SHA256
70dcaaa56728ccb0f21bd129c04826068167aed0bc3168e866eb959fd8c1a1d0

SHA512
a4c93aef3abf295f2a3a026d46cf0c0b969f9d87182af423f07b8d690d14e0ae6ae1dae6330e8455c8452f1ecbef660a722c3f913a2c92e7650960a24857c12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
a6b3839aaaed0fdb8880b30bb46cb0bf

SHA1
5027a6b7339d6b3ab7a4a9bac33f616206492a81

SHA256
2882af149e6ca3f662ff7e0eb6747ce660546ce9eecafad1e70ab1e022d62592

SHA512
d9e0ca67a8c9f1eb71f866b0ac6b1d80d0a935b5735f74bd4c5ce86fb77cf4c5c75fa21cd45f501205fde7fc4ad99587c7cddc2b00171edaf79e679e20d0d8ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\brave.exe

Filesize
477KB

MD5
4c09337e40dea7aba80ed676184c4620

SHA1
d46ddb6494b2531b4b7941271ce94fcdd0b84ec8

SHA256
41aef2c784c011d31b304374647a0dfee1249dd241fb8e79e6ccc3bde866a806

SHA512
d338ba7b3dad8a0d6994f2a669b6de1782b9aa7f0cad9df4ee3c084058c3c82f440f5208ea6c8110804dbc91e96b3b11f92c96fec7172aaf651674f674ddc306

Download Submit
C:\Users\Admin\AppData\Roaming\brave.exe

Filesize
477KB

MD5
4c09337e40dea7aba80ed676184c4620

SHA1
d46ddb6494b2531b4b7941271ce94fcdd0b84ec8

SHA256
41aef2c784c011d31b304374647a0dfee1249dd241fb8e79e6ccc3bde866a806

SHA512
d338ba7b3dad8a0d6994f2a669b6de1782b9aa7f0cad9df4ee3c084058c3c82f440f5208ea6c8110804dbc91e96b3b11f92c96fec7172aaf651674f674ddc306

Download Submit
C:\Users\Admin\AppData\Roaming\gfiffte

Filesize
301KB

MD5
80434f105bb3cf893257a01f03481743

SHA1
08636e3b88d95d73cd6a5864eb1ddee358d21a6f

SHA256
88421f19706a8251ea5165193e26e048384807ec9291f9d0baab8fadd42c5193

SHA512
e63d26faaeeb795528cc4e4dfb49e69a1f5112dbd0c24239e294aa70fd82cd8588a83ae4cd8e26c4eee568ef438033ac3af8467188aa53181633399bcc402dcb

Download Submit
C:\Users\Admin\AppData\Roaming\gfiffte

Filesize
301KB

MD5
80434f105bb3cf893257a01f03481743

SHA1
08636e3b88d95d73cd6a5864eb1ddee358d21a6f

SHA256
88421f19706a8251ea5165193e26e048384807ec9291f9d0baab8fadd42c5193

SHA512
e63d26faaeeb795528cc4e4dfb49e69a1f5112dbd0c24239e294aa70fd82cd8588a83ae4cd8e26c4eee568ef438033ac3af8467188aa53181633399bcc402dcb

Download Submit
C:\Users\Admin\AppData\Roaming\hhiffte

Filesize
186KB

MD5
8635292b56f59b5416370b5b21a763ad

SHA1
e3938cbff4a2f2a7c3dccb8c0869a1c978823f83

SHA256
4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c

SHA512
d1a0c5d2b9d0d06695ca5a7b39b88a6baffc5e32f0376f5a7eb22973ff5742ca14900a878cd6d8ceb9043a866658fc53fb4a4165327978abca37b128b089013f

Download Submit
C:\Users\Admin\AppData\Roaming\hhiffte

Filesize
186KB

MD5
8635292b56f59b5416370b5b21a763ad

SHA1
e3938cbff4a2f2a7c3dccb8c0869a1c978823f83

SHA256
4b1af9151e630b14fa80f5826274d9b0e3b4117b81bdf49ada918ea7815b788c

SHA512
d1a0c5d2b9d0d06695ca5a7b39b88a6baffc5e32f0376f5a7eb22973ff5742ca14900a878cd6d8ceb9043a866658fc53fb4a4165327978abca37b128b089013f

Download Submit
\??\pipe\LOCAL\crashpad_4408_EKFRKPIIKQXDLKFT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/460-316-0x0000000000000000-mapping.dmp

Download
memory/1116-372-0x0000000000000000-mapping.dmp

Download
memory/1244-197-0x0000000000000000-mapping.dmp

Download
memory/1360-360-0x0000000000000000-mapping.dmp

Download
memory/1476-315-0x0000000000000000-mapping.dmp

Download
memory/1532-294-0x0000000000000000-mapping.dmp

Download
memory/1532-306-0x000001C1F7910000-0x000001C1F791F000-memory.dmp

Filesize
60KB

Download
memory/1716-136-0x0000000000000000-mapping.dmp

Download
memory/1756-268-0x0000000000000000-mapping.dmp

Download
memory/1948-303-0x0000000000000000-mapping.dmp

Download
memory/2084-168-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2084-165-0x0000000000000000-mapping.dmp

Download
memory/2088-167-0x0000000000AF0000-0x0000000000B5B000-memory.dmp

Filesize
428KB

Download
memory/2088-203-0x0000000000B60000-0x0000000000BD5000-memory.dmp

Filesize
468KB

Download
memory/2088-164-0x0000000000000000-mapping.dmp

Download
memory/2088-166-0x0000000000B60000-0x0000000000BD5000-memory.dmp

Filesize
468KB

Download
memory/2144-295-0x0000000000000000-mapping.dmp

Download
memory/2144-302-0x0000000001220000-0x0000000001229000-memory.dmp

Filesize
36KB

Download
memory/2144-304-0x0000000001210000-0x000000000121F000-memory.dmp

Filesize
60KB

Download
memory/2196-285-0x0000000000000000-mapping.dmp

Download
memory/2272-225-0x0000000000000000-mapping.dmp

Download
memory/2272-338-0x0000000000000000-mapping.dmp

Download
memory/2308-227-0x0000000000000000-mapping.dmp

Download
memory/2344-202-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-204-0x000000006E870000-0x000000006E963000-memory.dmp

Filesize
972KB

Download
memory/2344-193-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-192-0x0000000000000000-mapping.dmp

Download
memory/2344-195-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-226-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-196-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2416-336-0x0000000000000000-mapping.dmp

Download
memory/2428-289-0x0000000000000000-mapping.dmp

Download
memory/2468-341-0x0000000000000000-mapping.dmp

Download
memory/2472-288-0x0000000000000000-mapping.dmp

Download
memory/2480-329-0x0000000000000000-mapping.dmp

Download
memory/2540-139-0x0000000000000000-mapping.dmp

Download
memory/2540-151-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/2540-149-0x00000000021B4000-0x0000000002246000-memory.dmp

Filesize
584KB

Download
memory/2660-281-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/2660-276-0x0000000000000000-mapping.dmp

Download
memory/2724-293-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download
memory/2724-286-0x0000000000000000-mapping.dmp

Download
memory/2724-292-0x0000000000B00000-0x0000000000B07000-memory.dmp

Filesize
28KB

Download
memory/2876-257-0x0000000000000000-mapping.dmp

Download
memory/2876-274-0x0000000006200000-0x000000000621A000-memory.dmp

Filesize
104KB

Download
memory/2876-258-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/2876-259-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/2876-260-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/2876-261-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/2876-262-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Filesize
120KB

Download
memory/2876-273-0x0000000007350000-0x00000000079CA000-memory.dmp

Filesize
6.5MB

Download
memory/3052-171-0x0000000000000000-mapping.dmp

Download
memory/3052-184-0x0000000002144000-0x00000000021D6000-memory.dmp

Filesize
584KB

Download
memory/3056-327-0x0000000000000000-mapping.dmp

Download
memory/3092-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3092-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3092-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3092-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3092-145-0x0000000000000000-mapping.dmp

Download
memory/3092-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3196-280-0x0000000000000000-mapping.dmp

Download
memory/3248-284-0x0000000000000000-mapping.dmp

Download
memory/3304-188-0x0000000000000000-mapping.dmp

Download
memory/3304-198-0x0000000002060000-0x00000000020AB000-memory.dmp

Filesize
300KB

Download
memory/3356-319-0x0000000000000000-mapping.dmp

Download
memory/3404-367-0x0000000000000000-mapping.dmp

Download
memory/3456-300-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/3456-296-0x0000000000000000-mapping.dmp

Download
memory/3652-308-0x0000000000000000-mapping.dmp

Download
memory/3760-178-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/3760-179-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3760-177-0x000000000051C000-0x0000000000531000-memory.dmp

Filesize
84KB

Download
memory/3760-161-0x0000000000000000-mapping.dmp

Download
memory/3796-368-0x0000000000000000-mapping.dmp

Download
memory/3832-320-0x0000000000000000-mapping.dmp

Download
memory/3980-283-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/3980-278-0x00000000029FC000-0x0000000002A1B000-memory.dmp

Filesize
124KB

Download
memory/3980-263-0x0000000000000000-mapping.dmp

Download
memory/4004-266-0x000000000295D000-0x000000000297C000-memory.dmp

Filesize
124KB

Download
memory/4004-267-0x0000000004320000-0x000000000435E000-memory.dmp

Filesize
248KB

Download
memory/4004-254-0x0000000000000000-mapping.dmp

Download
memory/4004-270-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/4240-169-0x0000000000000000-mapping.dmp

Download
memory/4252-291-0x0000000000000000-mapping.dmp

Download
memory/4256-174-0x00000000007BC000-0x00000000007D2000-memory.dmp

Filesize
88KB

Download
memory/4256-175-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/4256-187-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4256-158-0x0000000000000000-mapping.dmp

Download
memory/4256-176-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4408-305-0x0000024F03560000-0x0000024F0356F000-memory.dmp

Filesize
60KB

Download
memory/4408-290-0x0000000000000000-mapping.dmp

Download
memory/4428-287-0x0000000000000000-mapping.dmp

Download
memory/4500-310-0x0000000000000000-mapping.dmp

Download
memory/4540-253-0x0000000006410000-0x0000000006432000-memory.dmp

Filesize
136KB

Download
memory/4540-252-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/4540-249-0x0000000000000000-mapping.dmp

Download
memory/4548-282-0x0000000000000000-mapping.dmp

Download
memory/4688-354-0x0000000000000000-mapping.dmp

Download
memory/4744-138-0x0000000000000000-mapping.dmp

Download
memory/4744-157-0x0000000002C10000-0x0000000002D38000-memory.dmp

Filesize
1.2MB

Download
memory/4744-154-0x0000000002D40000-0x0000000002DFD000-memory.dmp

Filesize
756KB

Download
memory/4744-153-0x0000000002650000-0x0000000002720000-memory.dmp

Filesize
832KB

Download
memory/4744-144-0x0000000002C10000-0x0000000002D38000-memory.dmp

Filesize
1.2MB

Download
memory/4744-143-0x0000000002980000-0x0000000002AD2000-memory.dmp

Filesize
1.3MB

Download
memory/4752-201-0x0000000000000000-mapping.dmp

Download
memory/4804-224-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4804-180-0x0000000000000000-mapping.dmp

Download
memory/4804-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4804-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4804-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4888-132-0x0000000002A9E000-0x0000000002AAE000-memory.dmp

Filesize
64KB

Download
memory/4888-135-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/4888-134-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/4888-133-0x0000000002970000-0x0000000002979000-memory.dmp

Filesize
36KB

Download
memory/4932-237-0x0000000000000000-mapping.dmp

Download
memory/4964-232-0x0000000002090000-0x00000000020CE000-memory.dmp

Filesize
248KB

Download
memory/4964-233-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4964-236-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/4964-235-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/4964-234-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/4964-240-0x00000000052C0000-0x00000000052D2000-memory.dmp

Filesize
72KB

Download
memory/4964-241-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/4964-239-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/4964-301-0x0000000006710000-0x0000000006C3C000-memory.dmp

Filesize
5.2MB

Download
memory/4964-299-0x0000000006540000-0x0000000006702000-memory.dmp

Filesize
1.8MB

Download
memory/4964-228-0x0000000000000000-mapping.dmp

Download
memory/4964-231-0x00000000005CC000-0x00000000005FC000-memory.dmp

Filesize
192KB

Download
memory/5076-243-0x0000000000000000-mapping.dmp

Download
memory/5076-275-0x0000000006C20000-0x0000000006C70000-memory.dmp

Filesize
320KB

Download
memory/5076-244-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-272-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/5076-271-0x0000000006150000-0x00000000061C6000-memory.dmp

Filesize
472KB

Download
memory/5108-330-0x0000000000000000-mapping.dmp

Download
memory/5188-375-0x0000000000000000-mapping.dmp

Download
memory/5312-378-0x0000000000000000-mapping.dmp

Download
memory/5372-380-0x0000000000000000-mapping.dmp

Download
memory/5412-412-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5464-389-0x0000000000000000-mapping.dmp

Download
memory/5516-392-0x0000000000000000-mapping.dmp

Download
memory/5820-403-0x0000000000000000-mapping.dmp

Download
memory/5872-404-0x0000000000000000-mapping.dmp

Download