dcrat | 87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17-02-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
Size

149KB
MD5

44ec25472db6fee472da351f487dc468
SHA1

ec1213cf3c2e4cfb59d6c5939cec70127ae5089a
SHA256

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
SHA512

5a19e138bb7233701d1b4d00d135e95741f3cf2294458ce393ad2de11642a15382efaff94eb6563969fb60663e3606f59f92756900d3f4b37d8f928d89f262e6
SSDEEP

3072:eEChCvRP0UwWtirLOFtugxs3zobkeZOo3:e5hCvFvwsxFEg63wKo

Score

10^/10

dcrat smokeloader agilenet backdoor microsoft evasion infostealer phishing rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-152-0x0000000002270000-0x0000000002279000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3144-1227-0x000000000052444E-mapping.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FFE2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FFE2.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FFE2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FFE2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FFE2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FFE2.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FFE2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation FFE2.exe
Deletes itself 1 IoCs

Processes:

pid process

2056
Executes dropped EXE 7 IoCs

Processes:

E851.exeFFE2.exeE1B.exe1E39.exe27A0.exe2DEB.exe27A0.exe

pid process

3988 E851.exe
4564 FFE2.exe
1876 E1B.exe
4272 1E39.exe
3324 27A0.exe
4772 2DEB.exe
3144 27A0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	FFE2.exe

pid	process
2056

pid	process
3988	E851.exe
4564	FFE2.exe
1876	E1B.exe
4272	1E39.exe
3324	27A0.exe
4772	2DEB.exe
3144	27A0.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4564-396-0x00000000011F0000-0x0000000001A24000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FFE2.exe	themida
C:\Users\Admin\AppData\Local\Temp\FFE2.exe	themida
behavioral1/memory/4564-396-0x00000000011F0000-0x0000000001A24000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FFE2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FFE2.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FFE2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

E1B.exe27A0.exe

description	pid	process	target process
PID 1876 set thread context of 4192	1876	E1B.exe	AppLaunch.exe
PID 3324 set thread context of 3144	3324	27A0.exe	27A0.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

1E39.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityModeType = "843429875"	1E39.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7079b7ba0143d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 37510ab10143d901	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 453268b80143d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000008d1a0de61dc3b31877c532bf76ca4c8f65976917a19c428ce248d9e21e10a0e97456dbf766afea5e992029488d3d6b1c9a654e152dba7854b8c4	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{B5EB0487-53BD-40AA-AB9E-64327BEC4284}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\AA549154B737EF29C	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a9d3abaf0143d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cd9310ba0143d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e06438cd0143d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = d581f14b6daed801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe

pid	process
1968	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
1968	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2056

pid	process
2056

Suspicious behavior: MapViewOfSection 55 IoCs

Processes:

87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exeexplorer.exeexplorer.exeMicrosoftEdgeCP.exe

pid	process
1968	87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
2056
2056
2056
2056
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
2056
2056
2056
2056
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
1724	explorer.exe
1724	explorer.exe
4100	explorer.exe
4100	explorer.exe
4160	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdge.exeAppLaunch.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exe27A0.exe27A0.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeTakeOwnershipPrivilege	2056
Token: SeRestorePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeDebugPrivilege	3112	MicrosoftEdge.exe
Token: SeDebugPrivilege	3112	MicrosoftEdge.exe
Token: SeDebugPrivilege	3112	MicrosoftEdge.exe
Token: SeDebugPrivilege	3112	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeDebugPrivilege	4192	AppLaunch.exe
Token: SeDebugPrivilege	2080	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3624	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2080	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3624	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3624	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeDebugPrivilege	3324	27A0.exe
Token: SeDebugPrivilege	3144	27A0.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

1E39.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

2056
4272 1E39.exe
4272 1E39.exe
3112 MicrosoftEdge.exe
2272 MicrosoftEdgeCP.exe
4160 MicrosoftEdgeCP.exe
4160 MicrosoftEdgeCP.exe

pid	process
2056
4272	1E39.exe
4272	1E39.exe
3112	MicrosoftEdge.exe
2272	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E1B.exe27A0.exe

description	pid	process	target process
PID 2056 wrote to memory of 3988	2056		E851.exe
PID 2056 wrote to memory of 3988	2056		E851.exe
PID 2056 wrote to memory of 4564	2056		FFE2.exe
PID 2056 wrote to memory of 4564	2056		FFE2.exe
PID 2056 wrote to memory of 4564	2056		FFE2.exe
PID 2056 wrote to memory of 1876	2056		E1B.exe
PID 2056 wrote to memory of 1876	2056		E1B.exe
PID 2056 wrote to memory of 1876	2056		E1B.exe
PID 1876 wrote to memory of 4192	1876	E1B.exe	AppLaunch.exe
PID 1876 wrote to memory of 4192	1876	E1B.exe	AppLaunch.exe
PID 1876 wrote to memory of 4192	1876	E1B.exe	AppLaunch.exe
PID 1876 wrote to memory of 4192	1876	E1B.exe	AppLaunch.exe
PID 1876 wrote to memory of 4192	1876	E1B.exe	AppLaunch.exe
PID 2056 wrote to memory of 4272	2056		1E39.exe
PID 2056 wrote to memory of 4272	2056		1E39.exe
PID 2056 wrote to memory of 3324	2056		27A0.exe
PID 2056 wrote to memory of 3324	2056		27A0.exe
PID 2056 wrote to memory of 3324	2056		27A0.exe
PID 2056 wrote to memory of 4772	2056		2DEB.exe
PID 2056 wrote to memory of 4772	2056		2DEB.exe
PID 2056 wrote to memory of 4204	2056		explorer.exe
PID 2056 wrote to memory of 4204	2056		explorer.exe
PID 2056 wrote to memory of 4204	2056		explorer.exe
PID 2056 wrote to memory of 4204	2056		explorer.exe
PID 2056 wrote to memory of 1724	2056		explorer.exe
PID 2056 wrote to memory of 1724	2056		explorer.exe
PID 2056 wrote to memory of 1724	2056		explorer.exe
PID 3324 wrote to memory of 1664	3324	27A0.exe	powershell.exe
PID 3324 wrote to memory of 1664	3324	27A0.exe	powershell.exe
PID 3324 wrote to memory of 1664	3324	27A0.exe	powershell.exe
PID 2056 wrote to memory of 312	2056		explorer.exe
PID 2056 wrote to memory of 312	2056		explorer.exe
PID 2056 wrote to memory of 312	2056		explorer.exe
PID 2056 wrote to memory of 312	2056		explorer.exe
PID 2056 wrote to memory of 4100	2056		explorer.exe
PID 2056 wrote to memory of 4100	2056		explorer.exe
PID 2056 wrote to memory of 4100	2056		explorer.exe
PID 2056 wrote to memory of 4260	2056		explorer.exe
PID 2056 wrote to memory of 4260	2056		explorer.exe
PID 2056 wrote to memory of 4260	2056		explorer.exe
PID 2056 wrote to memory of 4260	2056		explorer.exe
PID 2056 wrote to memory of 700	2056		explorer.exe
PID 2056 wrote to memory of 700	2056		explorer.exe
PID 2056 wrote to memory of 700	2056		explorer.exe
PID 2056 wrote to memory of 700	2056		explorer.exe
PID 2056 wrote to memory of 5060	2056		explorer.exe
PID 2056 wrote to memory of 5060	2056		explorer.exe
PID 2056 wrote to memory of 5060	2056		explorer.exe
PID 2056 wrote to memory of 5060	2056		explorer.exe
PID 2056 wrote to memory of 1908	2056		explorer.exe
PID 2056 wrote to memory of 1908	2056		explorer.exe
PID 2056 wrote to memory of 1908	2056		explorer.exe
PID 2056 wrote to memory of 4796	2056		explorer.exe
PID 2056 wrote to memory of 4796	2056		explorer.exe
PID 2056 wrote to memory of 4796	2056		explorer.exe
PID 2056 wrote to memory of 4796	2056		explorer.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe
PID 3324 wrote to memory of 3144	3324	27A0.exe	27A0.exe

C:\Users\Admin\AppData\Local\Temp\87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe
"C:\Users\Admin\AppData\Local\Temp\87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Users\Admin\AppData\Local\Temp\E851.exe
C:\Users\Admin\AppData\Local\Temp\E851.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Local\Temp\FFE2.exe
C:\Users\Admin\AppData\Local\Temp\FFE2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4564

C:\Users\Admin\AppData\Local\Temp\E1B.exe
C:\Users\Admin\AppData\Local\Temp\E1B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\1E39.exe
C:\Users\Admin\AppData\Local\Temp\1E39.exe
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4972

C:\Users\Admin\AppData\Local\Temp\27A0.exe
C:\Users\Admin\AppData\Local\Temp\27A0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\27A0.exe
C:\Users\Admin\AppData\Local\Temp\27A0.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Local\Temp\2DEB.exe
C:\Users\Admin\AppData\Local\Temp\2DEB.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4204

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:312

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:700

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4796

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\30c697018d22449db8b354be821a54d3 /t 3680 /p 2272
1⤵
PID:5040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\27A0.exe.log
Filesize
1KB

MD5
cdafe50c826ebf84242d86919c9fb23c

SHA1
381eab18ab2dc44cf609fc4902a96156b8c7325c

SHA256
bd024be19689b1cc938d73b10e01078cb6cf9076ca3ade764f9b4823debd61dd

SHA512
baceec6e8d20431242f0c60bd987e2d0be820baef5f20bd7aa9a6d43ce8248615c7a4653ddd61ef33a3e39633b8beff6a55801537212f7379439cabe94c7cec4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\32IHXT62\b4d8df46.site-ltr[1].css
Filesize
419KB

MD5
a75251fd428db5a0b7c2fbd1786343ae

SHA1
822340d99b5a23fd12c9359d577511c8e1cb4911

SHA256
c7674f72a268f38d7b8f6c318981e2afa721f827f9787089c0b9c77608b3c9c1

SHA512
9e67f82161d301693e14a6f67cd6fbfcba466be5d3b044b11d398a94751d928eece5f7e65247287e882bbe53f321356a039d34baa103942c55293af7a4e60840

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RBK9C9LU\SegoeUI-Roman-VF_web[1].woff2
Filesize
115KB

MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RBK9C9LU\latest[1].woff2
Filesize
26KB

MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YLMKPUI4\67a45209.deprecation[1].js
Filesize
1KB

MD5
020629eba820f2e09d8cda1a753c032b

SHA1
d91a65036e4c36b07ae3641e32f23f8dd616bd17

SHA256
f8ae8a1dc7ce7877b9fb9299183d2ebb3befad0b6489ae785d99047ec2eb92d1

SHA512
ef5a5c7a301de55d103b1be375d988970d9c4ecd62ce464f730c49e622128f431761d641e1dfaa32ca03f8280b435ae909486806df62a538b48337725eb63ce1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
Filesize
1KB

MD5
de0b126311cf01a6e876dd21dd14e84f

SHA1
7af3d35f68b3a8b4978bf04732f50efce234cb8f

SHA256
fbf4d0054fe2ef9c99d25e85a2f5ae80a51c49052a3318412d550f3591c167f3

SHA512
a88fe7f8ef738871b7d73ade7485c640a96f7296973661f6b02595120c603a5e3c086871d67299ac4d6a58cda18bd8fdd03e2f075d2541586ed85f8d92a87036

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
60b8066e9fac24eed47aa9984000dd3f

SHA1
623ba2c09be4e6a275d367f4cf84c95da608b499

SHA256
c61d3b755379ad7156a7ae4d6dee58b0bf03766a919f41e43b8dec55937d472a

SHA512
cbace9f49ebc5d6300a6de3e2d79d5793bde66edafb90ba25dcad0c44ab50cffc4b709a15a8838ba8393c062e19eca73c71e48964fef5a5fe17275b2b2dc5f18

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
bb6d8ccf6f6e9465658a6cbe3bdd2f02

SHA1
86ca1739f14c1b1728c8b88b1977fc3e409a930a

SHA256
dc15d65341d836ca78f2fc90af4ed858119b510648fdd6da67d08c3e46681f5f

SHA512
841af21e5ae598ff4c7f4871083906d40558bc5dc57027c6ee7d1bd8e2f4718f40171393251547056d70526e9139e02fc85dc5fa02af19d24debe7fe3719c89a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
3e366cca6930debb05388ed01bb826b4

SHA1
6027de79b163d67193b72691a7e2b20269ab2c4c

SHA256
9003cac7beaab16dc5109a37821c37f6a36e60b50f33c4fd9d4043dc01a6396e

SHA512
8c9354f19e465453936801362e5b822157601bb3698756cc4b5c516640aca496a2f32404601eab93d5ec127272d2838ed4b07a0af4bd7368ec5ed8f4c15f42a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
3e366cca6930debb05388ed01bb826b4

SHA1
6027de79b163d67193b72691a7e2b20269ab2c4c

SHA256
9003cac7beaab16dc5109a37821c37f6a36e60b50f33c4fd9d4043dc01a6396e

SHA512
8c9354f19e465453936801362e5b822157601bb3698756cc4b5c516640aca496a2f32404601eab93d5ec127272d2838ed4b07a0af4bd7368ec5ed8f4c15f42a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
3e366cca6930debb05388ed01bb826b4

SHA1
6027de79b163d67193b72691a7e2b20269ab2c4c

SHA256
9003cac7beaab16dc5109a37821c37f6a36e60b50f33c4fd9d4043dc01a6396e

SHA512
8c9354f19e465453936801362e5b822157601bb3698756cc4b5c516640aca496a2f32404601eab93d5ec127272d2838ed4b07a0af4bd7368ec5ed8f4c15f42a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
Filesize
404B

MD5
7a18ef09c53f13277e9eba27213d731f

SHA1
57ec4e5b3601201f10a2ec8fae34ad6907e140c9

SHA256
0dad02a2fad6bea072a6aef440ef251c4ec62b17ea04ea157951820a13fc4feb

SHA512
9e97477fec658c099ae8922f6dd5b5f7b802c41c319d0f1b50421c4d084dfd7be86db8060af9af0fb7f5b7e015eb578c8e0787167f8f1abfd3554a1486233a28

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
5875da882d776de30f7bc3c2cfd2d75f

SHA1
fb977a4bff51ed033ee2ccd82b6bbf4e73defdf5

SHA256
7508a771c0b32604362616db823fb870e52831bdaaa0efe7dcd08f19eba074de

SHA512
4d489a9815b5ec29386f5721035f9979c9d6e08e702490e32aeffab9083fae2b0a06083b95376ccbc0ebe3d2e2bacbc4b994355487ad16c86b0ea513dac3962e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
d3df845b3699cd96a8eb4cb270a981a7

SHA1
964cfd974e029c65ecca6c18a9561011036f3643

SHA256
15ffe75613b24006851c57d859ae700d977579976887e2067e120dca795e20b4

SHA512
3242b6f5a79883a2c6af9b86c9da444b988c6e5369b08d05521ed5e71ea0d8680b3ad5e406b87c37a1ca23f06a5f25b0f116df269ca0c103518560781c77acf7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
c792bf3ace8974d2d28cb42e51ebe1a1

SHA1
11f63e0b828768679e9ba9a4803945a62e7fccd9

SHA256
280f875c8f9a5a3b2ae119b6fc444ac4b0f150a6d035032d36fa925f5c08cb88

SHA512
4b692b6f46347d22bf8748792de95823dfa1f8371710758e64c1c5c8375f0dcd0cda1fdb2f3fae43be4600be57f8421d5a6359f3dc5513fdf04f78e13424f321

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E39.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E39.exe
Filesize
6.4MB

MD5
3e9adb4d8dbec6eddee3065caf5911f6

SHA1
31c7111c8044afdf5c6ddb1e55244acfd06229d3

SHA256
215426d36754e9d391ae8ccabb74de1489fb8c18a127fec02a5be4e45462a7a5

SHA512
b62f413092028a3bdbc4ee7f6a085e881f51ed68c28d2950d1665cb4ecb1170f173a6003660b3c0d6629cc85f6f4b0e28dedd42c839ebbb29343b46a4f474ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\27A0.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\27A0.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\27A0.exe
Filesize
1.5MB

MD5
c8c05c344c028625e22fbf3f9b00a9a7

SHA1
ab3b124bb475a411307a7b699e0f6cd1ad549051

SHA256
5be19294bec8749e2473edb88ced8d8d6844d79dc2d7181002f37d3b740fb747

SHA512
c771810a128d77e978a034d69a1bd27309812e9f17c30d5bd407c43293500a60d09c386c98be16f20b582c5457c6b03ee6e1758cf661ecc81e03726a7192aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DEB.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DEB.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1B.exe
Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1B.exe
Filesize
344KB

MD5
0907dc351caecbe56e4ae22c041efd17

SHA1
019335863db510b409415c574764c7728a5831ec

SHA256
9aef4e5ba4269eeaf266e914e7d48b9ed3e947da9345ec7a9d9e860d6798ea3d

SHA512
61518ad3b9c29ff7d53ab755ca0a4ee66a1e522cf0cd30d7baceb2597dab0c4896597207a0eaf5acfef5b0b5a08b52e9267ebd24ec5f6d15349ac97dcacdcee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E851.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\E851.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFE2.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFE2.exe
Filesize
3.0MB

MD5
4df973fc60804e9bc6a8051582351ee5

SHA1
4ddc2e8ef17773fe4b7a29ea8634ff92861cd647

SHA256
bd036b1298af5791d217f59dcedb65fd719f942f7da224bdf6cea433d45c34b1

SHA512
86633629198870b36a5d9b28178140a4892f75581ac0f2bac77cb744bbdf0c7e2453656a31db4a4a9418d532212f3ed31a7061a0b84aa4bcc37da0f0d907048e

Download Submit
memory/312-731-0x0000000000820000-0x0000000000825000-memory.dmp

Filesize
20KB

Download
memory/312-783-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/312-521-0x0000000000000000-mapping.dmp

Download
memory/700-944-0x0000000000AF0000-0x0000000000AF9000-memory.dmp

Filesize
36KB

Download
memory/700-940-0x0000000000B00000-0x0000000000B05000-memory.dmp

Filesize
20KB

Download
memory/700-671-0x0000000000000000-mapping.dmp

Download
memory/1664-1121-0x0000000008990000-0x00000000089AA000-memory.dmp

Filesize
104KB

Download
memory/1664-1008-0x0000000006C10000-0x0000000006C76000-memory.dmp

Filesize
408KB

Download
memory/1664-1119-0x00000000093F0000-0x0000000009A68000-memory.dmp

Filesize
6.5MB

Download
memory/1664-1025-0x0000000006DF0000-0x0000000006E0C000-memory.dmp

Filesize
112KB

Download
memory/1664-511-0x0000000000000000-mapping.dmp

Download
memory/1664-725-0x0000000006E50000-0x0000000007478000-memory.dmp

Filesize
6.2MB

Download
memory/1664-696-0x0000000001130000-0x0000000001166000-memory.dmp

Filesize
216KB

Download
memory/1724-1033-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/1724-504-0x0000000000190000-0x000000000019F000-memory.dmp

Filesize
60KB

Download
memory/1724-472-0x0000000000000000-mapping.dmp

Download
memory/1724-501-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/1876-193-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1876-189-0x0000000000000000-mapping.dmp

Download
memory/1908-793-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/1908-773-0x0000000000000000-mapping.dmp

Download
memory/1908-788-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1968-145-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-132-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-117-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-118-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-119-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-120-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-121-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-122-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-124-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-123-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-154-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1968-153-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1968-152-0x0000000002270000-0x0000000002279000-memory.dmp

Filesize
36KB

Download
memory/1968-151-0x0000000000560000-0x000000000060E000-memory.dmp

Filesize
696KB

Download
memory/1968-150-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-149-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-147-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-146-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-125-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-144-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-143-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-142-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-141-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-140-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-139-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-138-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-137-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-136-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-135-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-134-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-133-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-126-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-131-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-116-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-130-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-127-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-129-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-128-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/2080-627-0x000002CB508A0000-0x000002CB508AC000-memory.dmp

Filesize
48KB

Download
memory/2080-512-0x000002CB50860000-0x000002CB5086F000-memory.dmp

Filesize
60KB

Download
memory/2272-622-0x0000022C53760000-0x0000022C5376C000-memory.dmp

Filesize
48KB

Download
memory/2272-508-0x0000022C53740000-0x0000022C5374F000-memory.dmp

Filesize
60KB

Download
memory/2652-1174-0x0000015C462C0000-0x0000015C462CF000-memory.dmp

Filesize
60KB

Download
memory/3144-1227-0x000000000052444E-mapping.dmp

Download
memory/3324-393-0x0000000006070000-0x000000000656E000-memory.dmp

Filesize
5.0MB

Download
memory/3324-395-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/3324-408-0x0000000005CB0000-0x0000000005DD6000-memory.dmp

Filesize
1.1MB

Download
memory/3324-410-0x0000000005AB0000-0x0000000005B3E000-memory.dmp

Filesize
568KB

Download
memory/3324-413-0x0000000005ED0000-0x0000000005EF2000-memory.dmp

Filesize
136KB

Download
memory/3324-417-0x0000000006570000-0x00000000068C0000-memory.dmp

Filesize
3.3MB

Download
memory/3324-338-0x0000000000000000-mapping.dmp

Download
memory/3324-389-0x0000000000F90000-0x0000000001120000-memory.dmp

Filesize
1.6MB

Download
memory/3624-631-0x000001D73E760000-0x000001D73E76C000-memory.dmp

Filesize
48KB

Download
memory/3624-515-0x000001D73CBD0000-0x000001D73CBDF000-memory.dmp

Filesize
60KB

Download
memory/3948-1140-0x0000025BC53C0000-0x0000025BC53CF000-memory.dmp

Filesize
60KB

Download
memory/3948-1155-0x0000025BC53D0000-0x0000025BC53DC000-memory.dmp

Filesize
48KB

Download
memory/3988-158-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/3988-155-0x0000000000000000-mapping.dmp

Download
memory/4100-1143-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/4100-571-0x0000000000000000-mapping.dmp

Download
memory/4100-618-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/4100-613-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/4160-1178-0x000001F5E0DE0000-0x000001F5E0DE8000-memory.dmp

Filesize
32KB

Download
memory/4160-1176-0x000001EDE00F0000-0x000001EDE00F3000-memory.dmp

Filesize
12KB

Download
memory/4192-306-0x0000000008CC0000-0x0000000008CFE000-memory.dmp

Filesize
248KB

Download
memory/4192-296-0x0000000008C60000-0x0000000008C72000-memory.dmp

Filesize
72KB

Download
memory/4192-994-0x0000000009CF0000-0x0000000009D0E000-memory.dmp

Filesize
120KB

Download
memory/4192-1017-0x000000000B160000-0x000000000B1B0000-memory.dmp

Filesize
320KB

Download
memory/4192-428-0x0000000009D80000-0x0000000009DF6000-memory.dmp

Filesize
472KB

Download
memory/4192-287-0x0000000004800000-0x0000000004844000-memory.dmp

Filesize
272KB

Download
memory/4192-1042-0x000000000A730000-0x000000000A8F2000-memory.dmp

Filesize
1.8MB

Download
memory/4192-1050-0x000000000B6E0000-0x000000000BC0C000-memory.dmp

Filesize
5.2MB

Download
memory/4192-348-0x0000000009020000-0x0000000009086000-memory.dmp

Filesize
408KB

Download
memory/4192-292-0x0000000009250000-0x0000000009856000-memory.dmp

Filesize
6.0MB

Download
memory/4192-317-0x0000000008D30000-0x0000000008D7B000-memory.dmp

Filesize
300KB

Download
memory/4192-233-0x0000000004817F1E-mapping.dmp

Download
memory/4192-300-0x0000000008D90000-0x0000000008E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4204-635-0x0000000003420000-0x000000000342B000-memory.dmp

Filesize
44KB

Download
memory/4204-609-0x0000000003430000-0x0000000003437000-memory.dmp

Filesize
28KB

Download
memory/4204-1141-0x0000000003430000-0x0000000003437000-memory.dmp

Filesize
28KB

Download
memory/4204-429-0x0000000000000000-mapping.dmp

Download
memory/4260-887-0x0000000003450000-0x0000000003472000-memory.dmp

Filesize
136KB

Download
memory/4260-892-0x0000000003420000-0x0000000003447000-memory.dmp

Filesize
156KB

Download
memory/4260-623-0x0000000000000000-mapping.dmp

Download
memory/4272-303-0x0000000000000000-mapping.dmp

Download
memory/4564-188-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-179-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-191-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-159-0x0000000000000000-mapping.dmp

Download
memory/4564-194-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-190-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-161-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-162-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-163-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-164-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-185-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-187-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-186-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-184-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-183-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-165-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-182-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-181-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-180-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-166-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-178-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-177-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-176-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-175-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-396-0x00000000011F0000-0x0000000001A24000-memory.dmp

Filesize
8.2MB

Download
memory/4564-174-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-173-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-172-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-171-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-169-0x00000000011F0000-0x0000000001A24000-memory.dmp

Filesize
8.2MB

Download
memory/4564-170-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-167-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/4772-398-0x0000000000000000-mapping.dmp

Download
memory/4796-822-0x0000000000000000-mapping.dmp

Download
memory/4796-1040-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/4796-1036-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/5060-1000-0x0000000000120000-0x000000000012B000-memory.dmp

Filesize
44KB

Download
memory/5060-722-0x0000000000000000-mapping.dmp

Download
memory/5060-998-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download