quasar | 427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638

Resubmissions

14-06-2024 04:34

240614-e7engsvfqb 10

10-09-2023 03:56

230910-ehlqhafa99 10

10-09-2023 03:52

230910-ee9yxsfa96 10

Analysis

max time kernel
639s
max time network
635s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2023 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLoggerV12.exe
Size

67.2MB
MD5

c32642c9ee6b0645a1b8e79827d3b527
SHA1

c91233c4cb87e810989c4135aa5956aadb74240a
SHA256

427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
SHA512

6447dc0a21efe22b7b80143e34aeba0e0a788a6d7802f16ae9430fb2040284ea8254b4740da84229447410e4ddbadc235b1cebcf8d797915b66c83aa88c8b2fc
SSDEEP

1572864:132XjX2pJxhQnieFTnt9bN4bfZDbNmkXfSWd+Ut8y4:1N7iTn2dDJF6WDO

Score

10^/10

quasar xmrig office04 miner spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

NareReti-40382.portmap.host:40382

Mutex

1f3547a3-6112-47d5-9c48-4fb1bd3d6344

Attributes

encryption_key
CE886B4F24E457903274F7555F940215147255CD
install_name
CasNic.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
behavioral2/memory/324-104-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

mainPannel.exeupdater.exe

description	pid	process	target process
PID 5144 created 3264	5144	mainPannel.exe	Explorer.EXE
PID 5144 created 3264	5144	mainPannel.exe	Explorer.EXE
PID 5144 created 3264	5144	mainPannel.exe	Explorer.EXE
PID 5144 created 3264	5144	mainPannel.exe	Explorer.EXE
PID 4988 created 3264	4988	updater.exe	Explorer.EXE
PID 4988 created 3264	4988	updater.exe	Explorer.EXE
PID 4988 created 3264	4988	updater.exe	Explorer.EXE
PID 4988 created 3264	4988	updater.exe	Explorer.EXE
PID 4988 created 3264	4988	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4988-381-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp	xmrig
behavioral2/memory/4340-384-0x00007FF632C30000-0x00007FF63341F000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

57 4340 cmd.exe
61 4340 cmd.exe
63 4340 cmd.exe
73 4340 cmd.exe
79 4340 cmd.exe
103 4340 cmd.exe

flow	pid	process
57	4340	cmd.exe
61	4340	cmd.exe
63	4340	cmd.exe
73	4340	cmd.exe
79	4340	cmd.exe
103	4340	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ImageLoggerV12.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	ImageLoggerV12.exe

Executes dropped EXE 6 IoCs

Processes:

Logger.exeLogger.exemainPannel.exeUI.exeGC.exeupdater.exe

pid process

5244 Logger.exe
2636 Logger.exe
5144 mainPannel.exe
2988 UI.exe
324 GC.exe
4988 updater.exe

pid	process
5244	Logger.exe
2636	Logger.exe
5144	mainPannel.exe
2988	UI.exe
324	GC.exe
4988	updater.exe

Loads dropped DLL 17 IoCs

Processes:

Logger.exe

pid	process
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe
2636	Logger.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll	upx
behavioral2/memory/2636-62-0x00007FF896340000-0x00007FF896929000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd	upx
behavioral2/memory/2636-71-0x00007FF89D440000-0x00007FF89D463000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll	upx
behavioral2/memory/2636-76-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd	upx
behavioral2/memory/2636-119-0x00007FF89D840000-0x00007FF89D859000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll	upx
behavioral2/memory/2636-120-0x00007FF89C310000-0x00007FF89C333000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd	upx
behavioral2/memory/2636-116-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll	upx
behavioral2/memory/324-136-0x000000001B5B0000-0x000000001B5C0000-memory.dmp	upx
behavioral2/memory/2636-137-0x00007FF89D420000-0x00007FF89D439000-memory.dmp	upx
behavioral2/memory/2636-138-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp	upx
behavioral2/memory/2636-139-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp	upx
behavioral2/memory/2636-146-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp	upx
behavioral2/memory/2636-145-0x00007FF898920000-0x00007FF898A97000-memory.dmp	upx
behavioral2/memory/2636-141-0x00007FF897500000-0x00007FF897878000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll	upx
behavioral2/memory/2636-152-0x00007FF896340000-0x00007FF896929000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd	upx
behavioral2/memory/2636-155-0x00007FF89D440000-0x00007FF89D463000-memory.dmp	upx
behavioral2/memory/2636-162-0x00007FF89C310000-0x00007FF89C333000-memory.dmp	upx
behavioral2/memory/2636-164-0x00007FF89D420000-0x00007FF89D439000-memory.dmp	upx
behavioral2/memory/2636-166-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp	upx
behavioral2/memory/2636-167-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd	upx
behavioral2/memory/2636-168-0x00007FF897500000-0x00007FF897878000-memory.dmp	upx
behavioral2/memory/2636-169-0x00007FF89B920000-0x00007FF89B934000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd	upx
behavioral2/memory/2636-173-0x00007FF8A7F10000-0x00007FF8A7F1D000-memory.dmp	upx
behavioral2/memory/2636-174-0x00007FF8973E0000-0x00007FF8974FC000-memory.dmp	upx
behavioral2/memory/2636-199-0x00007FF896340000-0x00007FF896929000-memory.dmp	upx
behavioral2/memory/2636-208-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp	upx
behavioral2/memory/2636-210-0x00007FF89D840000-0x00007FF89D859000-memory.dmp	upx
behavioral2/memory/2636-211-0x00007FF89C310000-0x00007FF89C333000-memory.dmp	upx
behavioral2/memory/2636-205-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp	upx
behavioral2/memory/2636-204-0x00007FF89D440000-0x00007FF89D463000-memory.dmp	upx
behavioral2/memory/2636-203-0x00007FF896340000-0x00007FF896929000-memory.dmp	upx
behavioral2/memory/2636-214-0x00007FF898920000-0x00007FF898A97000-memory.dmp	upx
behavioral2/memory/2636-216-0x00007FF89D420000-0x00007FF89D439000-memory.dmp	upx
behavioral2/memory/2636-218-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 4988 set thread context of 5188	4988	updater.exe	conhost.exe
PID 4988 set thread context of 4340	4988	updater.exe	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

mainPannel.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	mainPannel.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5980 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

756 tasklist.exe

pid	process
5980	schtasks.exe

pid	process
756	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exepowershell.exeidentity_helper.exepowershell.exemousocoreworker.exemainPannel.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exemsedge.exe

pid	process
1272	msedge.exe
1272	msedge.exe
2296	msedge.exe
2296	msedge.exe
2112	msedge.exe
2112	msedge.exe
2784	msedge.exe
2784	msedge.exe
6044	powershell.exe
6044	powershell.exe
6044	powershell.exe
4672	identity_helper.exe
4672	identity_helper.exe
6028	powershell.exe
6028	powershell.exe
6024	mousocoreworker.exe
6024	mousocoreworker.exe
6028	powershell.exe
6024	mousocoreworker.exe
5144	mainPannel.exe
5144	mainPannel.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe
5144	mainPannel.exe
5144	mainPannel.exe
5144	mainPannel.exe
5144	mainPannel.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
5144	mainPannel.exe
5144	mainPannel.exe
4988	updater.exe
4988	updater.exe
5644	powershell.exe
5644	powershell.exe
5644	powershell.exe
4988	updater.exe
4988	updater.exe
4988	updater.exe
4988	updater.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
4988	updater.exe
4988	updater.exe
4988	updater.exe
4988	updater.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeGC.exeWMIC.exetasklist.exepowershell.exemousocoreworker.exepowershell.exepowershell.exepowercfg.exepowercfg.exeConhost.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	324	GC.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeDebugPrivilege	756	tasklist.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeDebugPrivilege	6024	mousocoreworker.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeShutdownPrivilege	260	powercfg.exe
Token: SeCreatePagefilePrivilege	260	powercfg.exe
Token: SeShutdownPrivilege	1460	powercfg.exe
Token: SeCreatePagefilePrivilege	1460	powercfg.exe
Token: SeShutdownPrivilege	2392	Conhost.exe
Token: SeCreatePagefilePrivilege	2392	Conhost.exe
Token: SeShutdownPrivilege	3776	powercfg.exe
Token: SeCreatePagefilePrivilege	3776	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3768	powershell.exe
Token: SeSecurityPrivilege	3768	powershell.exe
Token: SeTakeOwnershipPrivilege	3768	powershell.exe
Token: SeLoadDriverPrivilege	3768	powershell.exe
Token: SeSystemProfilePrivilege	3768	powershell.exe
Token: SeSystemtimePrivilege	3768	powershell.exe
Token: SeProfSingleProcessPrivilege	3768	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

ImageLoggerV12.exeLogger.exeLogger.exeGC.exeConhost.execmd.execmd.execmd.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 5708 wrote to memory of 6044	5708	ImageLoggerV12.exe	powershell.exe
PID 5708 wrote to memory of 6044	5708	ImageLoggerV12.exe	powershell.exe
PID 5708 wrote to memory of 5244	5708	ImageLoggerV12.exe	Logger.exe
PID 5708 wrote to memory of 5244	5708	ImageLoggerV12.exe	Logger.exe
PID 5244 wrote to memory of 2636	5244	Logger.exe	Logger.exe
PID 5244 wrote to memory of 2636	5244	Logger.exe	Logger.exe
PID 5708 wrote to memory of 5144	5708	ImageLoggerV12.exe	mainPannel.exe
PID 5708 wrote to memory of 5144	5708	ImageLoggerV12.exe	mainPannel.exe
PID 5708 wrote to memory of 2988	5708	ImageLoggerV12.exe	UI.exe
PID 5708 wrote to memory of 2988	5708	ImageLoggerV12.exe	UI.exe
PID 5708 wrote to memory of 2988	5708	ImageLoggerV12.exe	UI.exe
PID 5708 wrote to memory of 324	5708	ImageLoggerV12.exe	GC.exe
PID 5708 wrote to memory of 324	5708	ImageLoggerV12.exe	GC.exe
PID 2636 wrote to memory of 1952	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 1952	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 5604	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 5604	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 2008	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 2008	2636	Logger.exe	cmd.exe
PID 2636 wrote to memory of 2392	2636	Logger.exe	Conhost.exe
PID 2636 wrote to memory of 2392	2636	Logger.exe	Conhost.exe
PID 324 wrote to memory of 5980	324	GC.exe	schtasks.exe
PID 324 wrote to memory of 5980	324	GC.exe	schtasks.exe
PID 2392 wrote to memory of 4480	2392	Conhost.exe	WMIC.exe
PID 2392 wrote to memory of 4480	2392	Conhost.exe	WMIC.exe
PID 2008 wrote to memory of 756	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 756	2008	cmd.exe	tasklist.exe
PID 5604 wrote to memory of 6028	5604	cmd.exe	powershell.exe
PID 5604 wrote to memory of 6028	5604	cmd.exe	powershell.exe
PID 1952 wrote to memory of 6024	1952	cmd.exe	mousocoreworker.exe
PID 1952 wrote to memory of 6024	1952	cmd.exe	mousocoreworker.exe
PID 632 wrote to memory of 260	632	cmd.exe	powercfg.exe
PID 632 wrote to memory of 260	632	cmd.exe	powercfg.exe
PID 632 wrote to memory of 1460	632	cmd.exe	powercfg.exe
PID 632 wrote to memory of 1460	632	cmd.exe	powercfg.exe
PID 632 wrote to memory of 2392	632	cmd.exe	Conhost.exe
PID 632 wrote to memory of 2392	632	cmd.exe	Conhost.exe
PID 632 wrote to memory of 3776	632	cmd.exe	powercfg.exe
PID 632 wrote to memory of 3776	632	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 5096	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 5096	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 2556	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 2556	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 4836	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 4836	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 2224	4888	cmd.exe	powercfg.exe
PID 4888 wrote to memory of 2224	4888	cmd.exe	powercfg.exe
PID 4988 wrote to memory of 5188	4988	updater.exe	conhost.exe
PID 4988 wrote to memory of 4340	4988	updater.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5244

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'"
5⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'
6⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
- Suspicious use of WriteProcessMemory
PID:5604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:2392

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5144

C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
3⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5096

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2556

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4836

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2224

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:5188

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4514977508286117279,12006304953039510594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
1⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
1⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5142347409584299056,8829815679591727427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5142347409584299056,8829815679591727427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
1⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4514977508286117279,12006304953039510594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17914044602809512869,8429339695825631866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
1⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
1⤵
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17914044602809512869,8429339695825631866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
1⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
1⤵
PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b33646f8,0x7ff8b3364708,0x7ff8b3364718
1⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
1⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
1⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
1⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
1⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
1⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
1⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
1⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
1⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
1⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
1⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
1⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1932 /prefetch:8
1⤵
PID:2868

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:2392

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\base_library.zip
Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\blank.aes
Filesize
120KB

MD5
07b71b817dd774c5f88c5526790fcbc9

SHA1
6000351cb67edf2275b1b499e0fb01bbe693b1f2

SHA256
8f0927d471642856553a04b32a6527b9deebdfcaadc5b0b6f91cf7fc5cb66038

SHA512
295fa6d16b15a7b425ec4031f05e34ec159ca0129a5a59ca8b0c6fd146d809fc9834e1eccb8f1aa3ffb8b87bc9ba63bb6688b596b22b92e03f053297e16a6b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\blank.aes
Filesize
120KB

MD5
9baaf674093c1a16ec32e34132f51322

SHA1
afc51b60ec89af834297e01229566be5b27fab75

SHA256
55f06f3d9f2b0a02f4d4e663a4416c0268315b0b30120b6174a2db517f0de8c4

SHA512
aff6512ca8002573d1c7b95aeaefe7bc6d22d028ef9fc8b4c1ce7537911c8e5a36bdc842685d224761d643f743b0e8c3029945d10601a993889752cf41f82123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwhoyx4e.jbv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/324-103-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/324-270-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/324-284-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

Filesize
64KB

Download
memory/324-136-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

Filesize
64KB

Download
memory/324-104-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1216-269-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/1216-252-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/1216-254-0x000001BC5E360000-0x000001BC5E370000-memory.dmp

Filesize
64KB

Download
memory/1216-253-0x000001BC5E360000-0x000001BC5E370000-memory.dmp

Filesize
64KB

Download
memory/1216-255-0x000001BC5E360000-0x000001BC5E370000-memory.dmp

Filesize
64KB

Download
memory/1216-261-0x000001BC5E360000-0x000001BC5E370000-memory.dmp

Filesize
64KB

Download
memory/1216-268-0x000001BC76AC0000-0x000001BC76C0E000-memory.dmp

Filesize
1.3MB

Download
memory/2508-375-0x0000029AF7250000-0x0000029AF739E000-memory.dmp

Filesize
1.3MB

Download
memory/2636-210-0x00007FF89D840000-0x00007FF89D859000-memory.dmp

Filesize
100KB

Download
memory/2636-174-0x00007FF8973E0000-0x00007FF8974FC000-memory.dmp

Filesize
1.1MB

Download
memory/2636-116-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp

Filesize
180KB

Download
memory/2636-71-0x00007FF89D440000-0x00007FF89D463000-memory.dmp

Filesize
140KB

Download
memory/2636-120-0x00007FF89C310000-0x00007FF89C333000-memory.dmp

Filesize
140KB

Download
memory/2636-152-0x00007FF896340000-0x00007FF896929000-memory.dmp

Filesize
5.9MB

Download
memory/2636-141-0x00007FF897500000-0x00007FF897878000-memory.dmp

Filesize
3.5MB

Download
memory/2636-119-0x00007FF89D840000-0x00007FF89D859000-memory.dmp

Filesize
100KB

Download
memory/2636-62-0x00007FF896340000-0x00007FF896929000-memory.dmp

Filesize
5.9MB

Download
memory/2636-221-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp

Filesize
736KB

Download
memory/2636-155-0x00007FF89D440000-0x00007FF89D463000-memory.dmp

Filesize
140KB

Download
memory/2636-220-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp

Filesize
184KB

Download
memory/2636-162-0x00007FF89C310000-0x00007FF89C333000-memory.dmp

Filesize
140KB

Download
memory/2636-164-0x00007FF89D420000-0x00007FF89D439000-memory.dmp

Filesize
100KB

Download
memory/2636-166-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp

Filesize
184KB

Download
memory/2636-167-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp

Filesize
736KB

Download
memory/2636-145-0x00007FF898920000-0x00007FF898A97000-memory.dmp

Filesize
1.5MB

Download
memory/2636-168-0x00007FF897500000-0x00007FF897878000-memory.dmp

Filesize
3.5MB

Download
memory/2636-169-0x00007FF89B920000-0x00007FF89B934000-memory.dmp

Filesize
80KB

Download
memory/2636-218-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp

Filesize
52KB

Download
memory/2636-216-0x00007FF89D420000-0x00007FF89D439000-memory.dmp

Filesize
100KB

Download
memory/2636-214-0x00007FF898920000-0x00007FF898A97000-memory.dmp

Filesize
1.5MB

Download
memory/2636-173-0x00007FF8A7F10000-0x00007FF8A7F1D000-memory.dmp

Filesize
52KB

Download
memory/2636-223-0x00007FF897500000-0x00007FF897878000-memory.dmp

Filesize
3.5MB

Download
memory/2636-140-0x00000181DE650000-0x00000181DE9C8000-memory.dmp

Filesize
3.5MB

Download
memory/2636-76-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp

Filesize
60KB

Download
memory/2636-225-0x00007FF89B920000-0x00007FF89B934000-memory.dmp

Filesize
80KB

Download
memory/2636-137-0x00007FF89D420000-0x00007FF89D439000-memory.dmp

Filesize
100KB

Download
memory/2636-138-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp

Filesize
52KB

Download
memory/2636-199-0x00007FF896340000-0x00007FF896929000-memory.dmp

Filesize
5.9MB

Download
memory/2636-203-0x00007FF896340000-0x00007FF896929000-memory.dmp

Filesize
5.9MB

Download
memory/2636-139-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp

Filesize
736KB

Download
memory/2636-204-0x00007FF89D440000-0x00007FF89D463000-memory.dmp

Filesize
140KB

Download
memory/2636-229-0x00007FF8973E0000-0x00007FF8974FC000-memory.dmp

Filesize
1.1MB

Download
memory/2636-208-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp

Filesize
180KB

Download
memory/2636-146-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp

Filesize
184KB

Download
memory/2636-211-0x00007FF89C310000-0x00007FF89C333000-memory.dmp

Filesize
140KB

Download
memory/2636-227-0x00007FF8A7F10000-0x00007FF8A7F1D000-memory.dmp

Filesize
52KB

Download
memory/2636-205-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp

Filesize
60KB

Download
memory/2988-142-0x0000000000C40000-0x0000000000CB6000-memory.dmp

Filesize
472KB

Download
memory/2988-200-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2988-133-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/2988-172-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2988-273-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/2988-147-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/2988-160-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/2988-148-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/3768-272-0x0000021827CB0000-0x0000021827CC0000-memory.dmp

Filesize
64KB

Download
memory/3768-293-0x0000021840450000-0x000002184059E000-memory.dmp

Filesize
1.3MB

Download
memory/3768-271-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/3768-286-0x0000021840450000-0x000002184059E000-memory.dmp

Filesize
1.3MB

Download
memory/3768-288-0x0000021840450000-0x000002184059E000-memory.dmp

Filesize
1.3MB

Download
memory/4340-384-0x00007FF632C30000-0x00007FF63341F000-memory.dmp

Filesize
7.9MB

Download
memory/4340-382-0x000002E6FED50000-0x000002E6FED70000-memory.dmp

Filesize
128KB

Download
memory/4988-337-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp

Filesize
56.6MB

Download
memory/4988-310-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp

Filesize
56.6MB

Download
memory/4988-381-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp

Filesize
56.6MB

Download
memory/5144-298-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp

Filesize
56.6MB

Download
memory/5144-170-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp

Filesize
56.6MB

Download
memory/5144-233-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp

Filesize
56.6MB

Download
memory/5144-285-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp

Filesize
56.6MB

Download
memory/5188-383-0x00007FF70F980000-0x00007FF70F9AA000-memory.dmp

Filesize
168KB

Download
memory/5644-346-0x00000240BD0F0000-0x00000240BD23E000-memory.dmp

Filesize
1.3MB

Download
memory/5708-4-0x0000000006A90000-0x0000000006AA0000-memory.dmp

Filesize
64KB

Download
memory/5708-112-0x0000000006A90000-0x0000000006AA0000-memory.dmp

Filesize
64KB

Download
memory/5708-2-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/5708-3-0x00000000005C0000-0x00000000048EC000-memory.dmp

Filesize
67.2MB

Download
memory/5708-74-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/5708-111-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6024-198-0x00000250D5D70000-0x00000250D5D80000-memory.dmp

Filesize
64KB

Download
memory/6024-257-0x00000250D5E80000-0x00000250D5FCE000-memory.dmp

Filesize
1.3MB

Download
memory/6024-196-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6024-240-0x00000250D5E80000-0x00000250D5FCE000-memory.dmp

Filesize
1.3MB

Download
memory/6024-202-0x00000250D5D70000-0x00000250D5D80000-memory.dmp

Filesize
64KB

Download
memory/6024-262-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6024-197-0x00000250D5D70000-0x00000250D5D80000-memory.dmp

Filesize
64KB

Download
memory/6028-258-0x0000010FDA470000-0x0000010FDA480000-memory.dmp

Filesize
64KB

Download
memory/6028-201-0x0000010FDA470000-0x0000010FDA480000-memory.dmp

Filesize
64KB

Download
memory/6028-239-0x0000010FDA5B0000-0x0000010FDA6FE000-memory.dmp

Filesize
1.3MB

Download
memory/6028-186-0x0000010FDA470000-0x0000010FDA480000-memory.dmp

Filesize
64KB

Download
memory/6028-263-0x0000010FDA5B0000-0x0000010FDA6FE000-memory.dmp

Filesize
1.3MB

Download
memory/6028-185-0x0000010FDA470000-0x0000010FDA480000-memory.dmp

Filesize
64KB

Download
memory/6028-184-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6028-265-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6044-149-0x000001BBF0B30000-0x000001BBF0C7E000-memory.dmp

Filesize
1.3MB

Download
memory/6044-212-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6044-127-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-143-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-122-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6044-34-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-58-0x000001BBF09C0000-0x000001BBF09E2000-memory.dmp

Filesize
136KB

Download
memory/6044-28-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp

Filesize
10.8MB

Download
memory/6044-40-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-144-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-78-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp

Filesize
64KB

Download
memory/6044-209-0x000001BBF0B30000-0x000001BBF0C7E000-memory.dmp

Filesize
1.3MB

Download