93db5f4e53b9c0514b9c0c4c562be8d8e7c3d64f8542c03b7e7f032a9c5d0c55

Analysis

max time kernel
204s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2022 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse Launcher.exe
Size

788KB
MD5

20e1eb6b9b733bbd26ac8be5be603de2
SHA1

36beefc2467d94b5ec9ae843b2bb099898581bed
SHA256

73af760ad2ffdd931210079ef4b719a1a8c41a864e7d0a39faa5c1783fb140d6
SHA512

d486fc560f0f6d94428b58ae041a17053659e78c49fe9154ca9e642d692da43aeb7dd3f03b1aeb428ea398bdbdfab743960c2f0fa885cd97bc31655be2e42e0b
SSDEEP

12288:GoK0iEH0u6YNNCObkXxHDc/n3jUOSpUMh:nipzXonoOSpUMh

Score

9^/10

evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exekbhRA41Nczhx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kbhRA41Nczhx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kbhRA41Nczhx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kbhRA41Nczhx.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

A5wh9eC.binkbhRA41Nczhx.exeA5wh9eC.binkbhRA41Nczhx.exeA5wh9eC.binkbhRA41Nczhx.exe

pid	Process
1356	A5wh9eC.bin
4888	kbhRA41Nczhx.exe
3716	A5wh9eC.bin
1928	kbhRA41Nczhx.exe
4496	A5wh9eC.bin
644	kbhRA41Nczhx.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exekbhRA41Nczhx.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kbhRA41Nczhx.exe

Loads dropped DLL 3 IoCs

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exekbhRA41Nczhx.exe

pid	Process
4888	kbhRA41Nczhx.exe
1928	kbhRA41Nczhx.exe
644	kbhRA41Nczhx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exekbhRA41Nczhx.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kbhRA41Nczhx.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d34f3ed1-ddf2-410b-affa-c0116e240532.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221214200556.pma	setup.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kbhRA41Nczhx.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kbhRA41Nczhx.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kbhRA41Nczhx.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

kbhRA41Nczhx.exekbhRA41Nczhx.exemsedge.exekbhRA41Nczhx.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	kbhRA41Nczhx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	kbhRA41Nczhx.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	kbhRA41Nczhx.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	kbhRA41Nczhx.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid	Process
2668	NOTEPAD.EXE
2304	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Synapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exeSynapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeSynapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exe

pid	Process
4496	Synapse Launcher.exe
1356	A5wh9eC.bin
4888	kbhRA41Nczhx.exe
4888	kbhRA41Nczhx.exe
4972	Synapse Launcher.exe
3716	A5wh9eC.bin
1928	kbhRA41Nczhx.exe
1928	kbhRA41Nczhx.exe
4572	msedge.exe
4572	msedge.exe
4680	msedge.exe
4680	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
448	msedge.exe
448	msedge.exe
3768	Synapse Launcher.exe
3768	Synapse Launcher.exe
4496	A5wh9eC.bin
4496	A5wh9eC.bin
644	kbhRA41Nczhx.exe
644	kbhRA41Nczhx.exe
644	kbhRA41Nczhx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Synapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exeSynapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exeAUDIODG.EXESynapse Launcher.exeA5wh9eC.binkbhRA41Nczhx.exe

description	pid	Process
Token: SeDebugPrivilege	4496	Synapse Launcher.exe
Token: SeDebugPrivilege	1356	A5wh9eC.bin
Token: SeDebugPrivilege	4888	kbhRA41Nczhx.exe
Token: SeDebugPrivilege	4972	Synapse Launcher.exe
Token: SeDebugPrivilege	3716	A5wh9eC.bin
Token: SeDebugPrivilege	1928	kbhRA41Nczhx.exe
Token: 33	3276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3276	AUDIODG.EXE
Token: SeDebugPrivilege	3768	Synapse Launcher.exe
Token: SeDebugPrivilege	4496	A5wh9eC.bin
Token: SeDebugPrivilege	644	kbhRA41Nczhx.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msedge.exe

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Synapse Launcher.exeA5wh9eC.binSynapse Launcher.exeA5wh9eC.binmsedge.exe

description	pid	Process	procid_target
PID 4496 wrote to memory of 1356	4496	Synapse Launcher.exe	85
PID 4496 wrote to memory of 1356	4496	Synapse Launcher.exe	85
PID 4496 wrote to memory of 1356	4496	Synapse Launcher.exe	85
PID 1356 wrote to memory of 4888	1356	A5wh9eC.bin	88
PID 1356 wrote to memory of 4888	1356	A5wh9eC.bin	88
PID 1356 wrote to memory of 4888	1356	A5wh9eC.bin	88
PID 4972 wrote to memory of 3716	4972	Synapse Launcher.exe	101
PID 4972 wrote to memory of 3716	4972	Synapse Launcher.exe	101
PID 4972 wrote to memory of 3716	4972	Synapse Launcher.exe	101
PID 3716 wrote to memory of 1928	3716	A5wh9eC.bin	102
PID 3716 wrote to memory of 1928	3716	A5wh9eC.bin	102
PID 3716 wrote to memory of 1928	3716	A5wh9eC.bin	102
PID 4680 wrote to memory of 432	4680	msedge.exe	106
PID 4680 wrote to memory of 432	4680	msedge.exe	106
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 2520	4680	msedge.exe	107
PID 4680 wrote to memory of 4572	4680	msedge.exe	108
PID 4680 wrote to memory of 4572	4680	msedge.exe	108
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110
PID 4680 wrote to memory of 3576	4680	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin
  "bin\A5wh9eC.bin"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe
    "bin\kbhRA41Nczhx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin
  "bin\A5wh9eC.bin"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe
    "bin\kbhRA41Nczhx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dvisuial%2Bstudio%2B2017%26form%3DWNSGPH%26qs%3DSW%26cvid%3D5c6edc5de1e34b829e6743b94d449f34%26pq%3Dvisuial%2Bstudio%2B2017%26cc%3DUS%26setlang%3Den-US%26nclid%3DCC49A771AA5D6B619014545D509433FC%26ts%3D1671048334002%26nclidts%3D1671048334%26tsms%3D002
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe858746f8,0x7ffe85874708,0x7ffe85874718
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x258,0x25c,0x260,0x110,0x264,0x7ff64ce35460,0x7ff64ce35470,0x7ff64ce35480
    3⤵
    PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7305228405863370978,4250493604198023051,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
- C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin
  "bin\A5wh9eC.bin"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe
    "bin\kbhRA41Nczhx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A5wh9eC.bin.log

Filesize
1KB

MD5
77bad1d125b667a25700d5ca12236308

SHA1
7be394cc32923f20d0fdc033a64089a95df73472

SHA256
0c411e74012cc2a18aa55230dfda9d72dc0819e84d0ab1a68f7dd99b8b7a2738

SHA512
1b2d163265e696f3b2b12d9bfa9338fb285e1484a4e5917e865d2fcf39387f374842de215d7caced03ae3e37866a1efa1e43f4b8cc0dad139ce68a81d29fa6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse Launcher.exe.log

Filesize
1KB

MD5
96a530fc8267c0b81f305e29b59abd11

SHA1
0b352ae803f8fabd17e1c0a58b864e84a3f26798

SHA256
a45c28f2204c97b7d5f9cb4fe8e827ba943aed11e7582941a50938208e1d5d33

SHA512
862672c177856a208e9fdd23099f9a2e15810f7562f5579aff9f9870e1acddee9ce1b2314a33fde0e388003d62e99db0d94d1dfd55b8943a30761a68aa3c3240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kbhRA41Nczhx.exe.log

Filesize
2KB

MD5
34593a1e35a41932f6ab65da2fe9da5f

SHA1
eb9598aa5f5373dfa26f1e4990595a80f5e89e5d

SHA256
9fd830f95cffcf39fa14cb38035dee0cfe74d20df640dfc08aead1929655d481

SHA512
c1139c4cba1e0efe2ca4a18c6393b3eb5b5a327933e60529a7f6386b496e83936ad2a90238f0c658dd68f9aecf2d458156a6d7ab8251150b6c04d88d98eeb027

Download Submit
C:\Users\Admin\AppData\Local\Temp\auth\options.bin

Filesize
776B

MD5
7e7039adae830f0fa8d164b6638cc61c

SHA1
144bda2993a6d1548c1a9bbc95382bfb0c0a8109

SHA256
a3d907e5eb7d301481e0f16df18a4f615f39c3454c9cd5c494e3eb472ba12dc6

SHA512
95d79ab43da15614f882252b2c6d9fe4971d48c0e4a9550c248f13dabe0851cc44d5c06b2daa26ed94013a0da7467d2c019ee28cf36845e49447495c28f0d289

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SynapseInjector.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.3MB

MD5
a1be0cf8d182e385689ed50d609fbb8e

SHA1
fc7a90a9ce07f85951002da1ac9c9c9891818f4d

SHA256
1ba5ccaf439f106d180dff8134a0bd992b359f06a60b11d05b7c624f1ec2db31

SHA512
971cb75ef67b8d33312e59fc506ba6900b5e480a1580a899bece6fcc46607c5e5435842dd8ff8593b927c38b44766bc2864ac4afc2418b5f2f7397c19beef6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\theme-wpf.json

Filesize
10KB

MD5
f92e57a56c890da7b29a80219eda8b76

SHA1
7223dfdff6049b293665a2e9f4e6d12a803b4bd7

SHA256
a55cf3c1a752cecce303c97f08fea682644297cde884affb25849e2cb7b90a30

SHA512
79f64d690718e685205260d1fe03ab9f75cfdc03cbe4210b403f02ab32b72b2c72954cbbfdea7f59014e934acf674d13fe43dbdeac20a3499c54afe59ad133ca

Download Submit
\??\pipe\LOCAL\crashpad_4680_YPGQENOLQTUSNUAT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/312-230-0x0000000000000000-mapping.dmp

Download
memory/432-214-0x0000000000000000-mapping.dmp

Download
memory/448-246-0x0000000000000000-mapping.dmp

Download
memory/644-277-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-289-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-284-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-283-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-282-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-280-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-279-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-278-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-286-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-275-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-273-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-272-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-271-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-270-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-287-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-269-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-288-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-290-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-268-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-285-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-291-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-267-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-266-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-265-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-292-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-293-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-261-0x0000000000000000-mapping.dmp

Download
memory/644-294-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-295-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-303-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-302-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-300-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-296-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/644-298-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1272-226-0x0000000000000000-mapping.dmp

Download
memory/1356-139-0x0000000000B20000-0x0000000000D7C000-memory.dmp

Filesize
2.4MB

Download
memory/1356-136-0x0000000000000000-mapping.dmp

Download
memory/1424-238-0x0000000000000000-mapping.dmp

Download
memory/1728-250-0x0000000000000000-mapping.dmp

Download
memory/1772-234-0x0000000000000000-mapping.dmp

Download
memory/1928-209-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-194-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-199-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-203-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-204-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-205-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-206-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-207-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-187-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-208-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-210-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-211-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-212-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-213-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-197-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-185-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-177-0x0000000000000000-mapping.dmp

Download
memory/1928-195-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-188-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-201-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-181-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-186-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-180-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-193-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-184-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-192-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-182-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-191-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-183-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/1928-189-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/2084-241-0x0000000000000000-mapping.dmp

Download
memory/2304-232-0x0000000000000000-mapping.dmp

Download
memory/2520-216-0x0000000000000000-mapping.dmp

Download
memory/2532-243-0x0000000000000000-mapping.dmp

Download
memory/2688-240-0x0000000000000000-mapping.dmp

Download
memory/2688-252-0x0000000000000000-mapping.dmp

Download
memory/2996-254-0x0000000000000000-mapping.dmp

Download
memory/3172-256-0x0000000000000000-mapping.dmp

Download
memory/3576-220-0x0000000000000000-mapping.dmp

Download
memory/3716-174-0x0000000000000000-mapping.dmp

Download
memory/3824-258-0x0000000000000000-mapping.dmp

Download
memory/3892-239-0x0000000000000000-mapping.dmp

Download
memory/3936-222-0x0000000000000000-mapping.dmp

Download
memory/4224-236-0x0000000000000000-mapping.dmp

Download
memory/4236-228-0x0000000000000000-mapping.dmp

Download
memory/4408-224-0x0000000000000000-mapping.dmp

Download
memory/4496-259-0x0000000000000000-mapping.dmp

Download
memory/4496-132-0x00000000002E0000-0x00000000003AA000-memory.dmp

Filesize
808KB

Download
memory/4496-133-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-134-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/4496-135-0x0000000008390000-0x00000000083B2000-memory.dmp

Filesize
136KB

Download
memory/4572-217-0x0000000000000000-mapping.dmp

Download
memory/4596-248-0x0000000000000000-mapping.dmp

Download
memory/4640-245-0x0000000000000000-mapping.dmp

Download
memory/4888-161-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-153-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-167-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-166-0x000000000A7A0000-0x000000000A7AE000-memory.dmp

Filesize
56KB

Download
memory/4888-165-0x000000000A7D0000-0x000000000A808000-memory.dmp

Filesize
224KB

Download
memory/4888-163-0x0000000006220000-0x0000000006228000-memory.dmp

Filesize
32KB

Download
memory/4888-162-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-170-0x000000000B120000-0x000000000B132000-memory.dmp

Filesize
72KB

Download
memory/4888-160-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-159-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-158-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-156-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-154-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-168-0x000000000AE70000-0x000000000AEC0000-memory.dmp

Filesize
320KB

Download
memory/4888-152-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-151-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-150-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-149-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-148-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-147-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-146-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-141-0x0000000000000000-mapping.dmp

Download
memory/4888-169-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-171-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download
memory/4888-172-0x000000006D380000-0x000000006E2A6000-memory.dmp

Filesize
15.1MB

Download