dcrat | 41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eae001edceff3bc23cadaae071dfc32.exe
Size

206KB
MD5

0eae001edceff3bc23cadaae071dfc32
SHA1

5d387a67ba534fd143eaea2730ad0a15e020e7e4
SHA256

41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6
SHA512

d6ffbacae4a9c0e0d448bad7686e7418e4e19cc77eaff39c55a02b3f7d3ce264f290dd55231281439e98e935b7f08a20ad10686a52a210c094c791f92811ee7f
SSDEEP

6144:i7ziNNyACm+SVpiHIu8v/1Z94630C8Ot1:+zD1m+SPiH58vdZ9J3Pt

Score

10^/10

dcrat smokeloader agilenet backdoor microsoft evasion infostealer persistence phishing rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3516-136-0x00000000007C0000-0x00000000007C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5264-275-0x0000000000400000-0x000000000052A000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

443E.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 443E.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	443E.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

443E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	443E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	443E.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

8522.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8522.exe
Executes dropped EXE 7 IoCs

Processes:

223D.exe443E.exe51FA.exe7D22.exe8522.exe8A05.exe8522.exe

pid process

1488 223D.exe
4916 443E.exe
4764 51FA.exe
4644 7D22.exe
4556 8522.exe
3180 8A05.exe
5264 8522.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8522.exe

pid	process
1488	223D.exe
4916	443E.exe
4764	51FA.exe
4644	7D22.exe
4556	8522.exe
3180	8A05.exe
5264	8522.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\443E.exe	themida
C:\Users\Admin\AppData\Local\Temp\443E.exe	themida
behavioral2/memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

443E.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 443E.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 2 IoCs

Processes:

51FA.exe8522.exe

description pid process target process

PID 4764 set thread context of 1160 4764 51FA.exe vbc.exe
PID 4556 set thread context of 5264 4556 8522.exe 8522.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	443E.exe

description	pid	process	target process
PID 4764 set thread context of 1160	4764	51FA.exe	vbc.exe
PID 4556 set thread context of 5264	4556	8522.exe	8522.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\460e99df-6d4f-4357-8f38-03ad8c169393.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230217232715.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4860 4764 WerFault.exe 51FA.exe

pid	pid_target	process	target process
4860	4764	WerFault.exe	51FA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0eae001edceff3bc23cadaae071dfc32.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0eae001edceff3bc23cadaae071dfc32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0eae001edceff3bc23cadaae071dfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0eae001edceff3bc23cadaae071dfc32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

7D22.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityModeType = "844788910"	7D22.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0eae001edceff3bc23cadaae071dfc32.exe

pid	process
3516	0eae001edceff3bc23cadaae071dfc32.exe
3516	0eae001edceff3bc23cadaae071dfc32.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2596

pid	process
2596

Suspicious behavior: MapViewOfSection 37 IoCs

Processes:

0eae001edceff3bc23cadaae071dfc32.exeexplorer.exe

pid	process
3516	0eae001edceff3bc23cadaae071dfc32.exe
2596
2596
2596
2596
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2596
2596
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2596
2596
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2596
2596
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2596
2596
2304	explorer.exe
2304	explorer.exe
2596
2596
2596
2596
2596
2596

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2320 msedge.exe
2320 msedge.exe
2320 msedge.exe
2320 msedge.exe
2320 msedge.exe
2320 msedge.exe
2320 msedge.exe

pid	process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

vbc.exepowershell.exe8522.exe8522.exe

description	pid	process
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	1160	vbc.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	4556	8522.exe
Token: SeDebugPrivilege	5264	8522.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

msedge.exe

pid process

2320 msedge.exe
2596
2596
2320 msedge.exe
2596
2320 msedge.exe
2596
2596
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7D22.exe

pid process

4644 7D22.exe
4644 7D22.exe

pid	process
2320	msedge.exe
2596
2596
2320	msedge.exe
2596
2320	msedge.exe
2596
2596

pid	process
4644	7D22.exe
4644	7D22.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

443E.exemsedge.exe51FA.exe

description	pid	process	target process
PID 2596 wrote to memory of 1488	2596		223D.exe
PID 2596 wrote to memory of 1488	2596		223D.exe
PID 2596 wrote to memory of 4916	2596		443E.exe
PID 2596 wrote to memory of 4916	2596		443E.exe
PID 2596 wrote to memory of 4916	2596		443E.exe
PID 2596 wrote to memory of 4764	2596		51FA.exe
PID 2596 wrote to memory of 4764	2596		51FA.exe
PID 2596 wrote to memory of 4764	2596		51FA.exe
PID 4916 wrote to memory of 2320	4916	443E.exe	msedge.exe
PID 4916 wrote to memory of 2320	4916	443E.exe	msedge.exe
PID 2320 wrote to memory of 1076	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 1076	2320	msedge.exe	msedge.exe
PID 4764 wrote to memory of 1160	4764	51FA.exe	vbc.exe
PID 4764 wrote to memory of 1160	4764	51FA.exe	vbc.exe
PID 4764 wrote to memory of 1160	4764	51FA.exe	vbc.exe
PID 4764 wrote to memory of 1160	4764	51FA.exe	vbc.exe
PID 4764 wrote to memory of 1160	4764	51FA.exe	vbc.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4108	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 2652	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 2652	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4740	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4740	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4740	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4740	2320	msedge.exe	msedge.exe
PID 2320 wrote to memory of 4740	2320	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0eae001edceff3bc23cadaae071dfc32.exe
"C:\Users\Admin\AppData\Local\Temp\0eae001edceff3bc23cadaae071dfc32.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3516

C:\Users\Admin\AppData\Local\Temp\223D.exe
C:\Users\Admin\AppData\Local\Temp\223D.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\443E.exe
C:\Users\Admin\AppData\Local\Temp\443E.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=443E.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x40,0xdc,0x100,0x9c,0x104,0x7ffb3dd946f8,0x7ffb3dd94708,0x7ffb3dd94718
3⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
3⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
3⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
3⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5488 /prefetch:8
3⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
3⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
3⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 /prefetch:8
3⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
3⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
3⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
3⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7bdf15460,0x7ff7bdf15470,0x7ff7bdf15480
4⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
3⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1116 /prefetch:8
3⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,5902078599561076440,4330434099488831451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1820 /prefetch:8
3⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=443E.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffb3dd946f8,0x7ffb3dd94708,0x7ffb3dd94718
3⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\51FA.exe
C:\Users\Admin\AppData\Local\Temp\51FA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 248
2⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 4764
1⤵
PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\7D22.exe
C:\Users\Admin\AppData\Local\Temp\7D22.exe
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Users\Admin\AppData\Local\Temp\8522.exe
C:\Users\Admin\AppData\Local\Temp\8522.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Users\Admin\AppData\Local\Temp\8522.exe
C:\Users\Admin\AppData\Local\Temp\8522.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Users\Admin\AppData\Local\Temp\8A05.exe
C:\Users\Admin\AppData\Local\Temp\8A05.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2304

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4224

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8522.exe.log
Filesize
1KB

MD5
9e39b702ddcbdc603ad47b9d318dce62

SHA1
31709fbc20df043f4699fc3b288ce9bccd666b94

SHA256
b91057818a6617ee8e0c725d144403d30226b04d8181fed08cf0e5d634ee6388

SHA512
bab6b606b18f68e775d5a4fc2033adb1f228f66fe7103fe49a58dc7349227769df14d53b665615c7a9fb0cf2bbf679d5aa1ff2e97b0200d0a3603f8aebb9f533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c671a6a3920cf5a5a7b5641546564b1

SHA1
a32dc7eb5fbcabfd80bd3cc83feb61cb439f3049

SHA256
88d8dd693b6f739068b9aff5c6cc8b036af8cd00f0f4df07fe339393045ec417

SHA512
10f63235b9b1d7bc0935ad1fbfd1dcf3d3fb25adba141d951f4fb99f1d01c870de7ed34cfc447598295fc8f051050e949f4eb663a435d3315f953a5896ef7c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\223D.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\223D.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\443E.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\443E.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\51FA.exe
Filesize
1.1MB

MD5
b5cd4deb250cbeda544d8622d7ed90bf

SHA1
d8f784eba044a176e935cd6bc9a97d346a810c98

SHA256
8f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621

SHA512
1a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\51FA.exe
Filesize
1.1MB

MD5
b5cd4deb250cbeda544d8622d7ed90bf

SHA1
d8f784eba044a176e935cd6bc9a97d346a810c98

SHA256
8f4b3502e38100486b960ef7d7aea1c43ba2ba38f5d31439b1ae9324c3f43621

SHA512
1a828445c797a4af0279eb2d0ba2e973b2768da5eeec6ebc42c104a1bf689268798380b8da2496757d7ee0e61f10cadadc7369fb5cb535d13260d7721562f2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D22.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D22.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8522.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8522.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8522.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A05.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A05.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
Filesize
2KB

MD5
b6320f82f954c7a77f059fdbc7454957

SHA1
134ad78bb4532f81da570544928ea8088a10cbbb

SHA256
f5a5e00a7e039ee6c4729cbbf40c7397fda007a401cc05d4716567d8fa09ed08

SHA512
cd5d47c4a0f17fcae0b9c7476fcdc5b9de61237582f7f285951ee04330829f2fbb833560e4c8410c10d01fc3f87cce6a61932a75ab0550fef9c95c31c245558a

Download Submit
\??\pipe\LOCAL\crashpad_2320_CUPBNLKTOUBYSYPU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-185-0x0000000000000000-mapping.dmp

Download
memory/220-182-0x0000000000000000-mapping.dmp

Download
memory/1076-234-0x000001B359B20000-0x000001B359B2F000-memory.dmp

Filesize
60KB

Download
memory/1076-154-0x0000000000000000-mapping.dmp

Download
memory/1160-176-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/1160-183-0x00000000064F0000-0x0000000006566000-memory.dmp

Filesize
472KB

Download
memory/1160-195-0x00000000071A0000-0x0000000007362000-memory.dmp

Filesize
1.8MB

Download
memory/1160-165-0x0000000005510000-0x000000000554C000-memory.dmp

Filesize
240KB

Download
memory/1160-196-0x00000000078A0000-0x0000000007DCC000-memory.dmp

Filesize
5.2MB

Download
memory/1160-187-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/1160-186-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/1160-161-0x0000000005AD0000-0x00000000060E8000-memory.dmp

Filesize
6.1MB

Download
memory/1160-155-0x0000000000000000-mapping.dmp

Download
memory/1160-163-0x00000000055E0000-0x00000000056EA000-memory.dmp

Filesize
1.0MB

Download
memory/1160-179-0x00000000063D0000-0x0000000006462000-memory.dmp

Filesize
584KB

Download
memory/1160-180-0x0000000006A20000-0x0000000006FC4000-memory.dmp

Filesize
5.6MB

Download
memory/1160-162-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/1160-156-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/1292-175-0x0000000000000000-mapping.dmp

Download
memory/1488-139-0x0000000000000000-mapping.dmp

Download
memory/1488-142-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/1488-143-0x00007FFB3D1C0000-0x00007FFB3DC81000-memory.dmp

Filesize
10.8MB

Download
memory/1876-224-0x0000000000000000-mapping.dmp

Download
memory/1876-252-0x0000027905080000-0x000002790508F000-memory.dmp

Filesize
60KB

Download
memory/1916-194-0x0000000000000000-mapping.dmp

Download
memory/1916-250-0x000001B301E10000-0x000001B301E1F000-memory.dmp

Filesize
60KB

Download
memory/2024-245-0x0000000000000000-mapping.dmp

Download
memory/2024-248-0x00000000003B0000-0x00000000003D2000-memory.dmp

Filesize
136KB

Download
memory/2024-249-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download
memory/2024-269-0x00000000003B0000-0x00000000003D2000-memory.dmp

Filesize
136KB

Download
memory/2304-228-0x0000000000C80000-0x0000000000C89000-memory.dmp

Filesize
36KB

Download
memory/2304-229-0x00000000009F0000-0x00000000009FF000-memory.dmp

Filesize
60KB

Download
memory/2304-227-0x0000000000000000-mapping.dmp

Download
memory/2304-266-0x0000000000C80000-0x0000000000C89000-memory.dmp

Filesize
36KB

Download
memory/2320-153-0x0000000000000000-mapping.dmp

Download
memory/2320-230-0x0000024D24AF0000-0x0000024D24AFF000-memory.dmp

Filesize
60KB

Download
memory/2652-241-0x00000152D3E00000-0x00000152D3E0F000-memory.dmp

Filesize
60KB

Download
memory/2652-168-0x0000000000000000-mapping.dmp

Download
memory/2960-190-0x0000000000000000-mapping.dmp

Download
memory/3160-173-0x0000000000000000-mapping.dmp

Download
memory/3160-247-0x000002AABF9F0000-0x000002AABF9FF000-memory.dmp

Filesize
60KB

Download
memory/3180-212-0x00007FFB3A140000-0x00007FFB3AC01000-memory.dmp

Filesize
10.8MB

Download
memory/3180-209-0x0000000000000000-mapping.dmp

Download
memory/3504-238-0x0000000000000000-mapping.dmp

Download
memory/3516-138-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3516-135-0x00000000007FF000-0x0000000000812000-memory.dmp

Filesize
76KB

Download
memory/3516-137-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3516-136-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3968-240-0x0000000000000000-mapping.dmp

Download
memory/4108-167-0x0000000000000000-mapping.dmp

Download
memory/4108-237-0x0000020E1AF40000-0x0000020E1AF4F000-memory.dmp

Filesize
60KB

Download
memory/4200-218-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/4200-265-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/4200-216-0x0000000000000000-mapping.dmp

Download
memory/4200-219-0x0000000000750000-0x000000000075B000-memory.dmp

Filesize
44KB

Download
memory/4224-254-0x0000000001280000-0x0000000001289000-memory.dmp

Filesize
36KB

Download
memory/4224-251-0x0000000000000000-mapping.dmp

Download
memory/4224-253-0x0000000001290000-0x0000000001295000-memory.dmp

Filesize
20KB

Download
memory/4224-270-0x0000000001290000-0x0000000001295000-memory.dmp

Filesize
20KB

Download
memory/4488-226-0x0000000000000000-mapping.dmp

Download
memory/4488-255-0x000001C78E9E0000-0x000001C78E9EF000-memory.dmp

Filesize
60KB

Download
memory/4556-204-0x0000000000000000-mapping.dmp

Download
memory/4556-208-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

Filesize
136KB

Download
memory/4556-207-0x0000000000D60000-0x0000000000EF0000-memory.dmp

Filesize
1.6MB

Download
memory/4640-198-0x0000000000000000-mapping.dmp

Download
memory/4644-201-0x0000000000000000-mapping.dmp

Download
memory/4692-258-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

Filesize
44KB

Download
memory/4692-256-0x0000000000000000-mapping.dmp

Download
memory/4692-257-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/4740-171-0x0000000000000000-mapping.dmp

Download
memory/4740-244-0x000001B61F920000-0x000001B61F92F000-memory.dmp

Filesize
60KB

Download
memory/4764-164-0x0000000000870000-0x0000000000988000-memory.dmp

Filesize
1.1MB

Download
memory/4764-150-0x0000000000000000-mapping.dmp

Download
memory/4764-221-0x0000000000000000-mapping.dmp

Download
memory/4816-232-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4816-222-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/4816-213-0x0000000000000000-mapping.dmp

Download
memory/4816-233-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/4816-214-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/4816-215-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4816-217-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4880-268-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/4880-242-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/4880-189-0x0000000000000000-mapping.dmp

Download
memory/4880-239-0x0000000000000000-mapping.dmp

Download
memory/4880-243-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/4916-188-0x0000000000A20000-0x0000000001254000-memory.dmp

Filesize
8.2MB

Download
memory/4916-144-0x0000000000000000-mapping.dmp

Download
memory/4916-149-0x0000000000A20000-0x0000000001254000-memory.dmp

Filesize
8.2MB

Download
memory/4916-191-0x0000000000A20000-0x0000000001254000-memory.dmp

Filesize
8.2MB

Download
memory/4992-236-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/4992-231-0x0000000000000000-mapping.dmp

Download
memory/4992-235-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/4992-267-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/5036-246-0x0000000000000000-mapping.dmp

Download
memory/5128-261-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/5128-260-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/5128-259-0x0000000000000000-mapping.dmp

Download
memory/5156-263-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/5156-264-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/5156-262-0x0000000000000000-mapping.dmp

Download
memory/5264-274-0x0000000000000000-mapping.dmp

Download
memory/5264-275-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/5392-279-0x0000000000000000-mapping.dmp

Download
memory/5516-281-0x0000000000000000-mapping.dmp

Download