amadey | bcea32218a0f36cb4f573d0b139db62cc1c8987e698556d48bdaaefa63b691c0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

427KB
MD5

4cf5792c9acfba1859d70a1e7b3f2174
SHA1

cb73ce1025a4130ff12820b0d8bfaccade212ec8
SHA256

bcea32218a0f36cb4f573d0b139db62cc1c8987e698556d48bdaaefa63b691c0
SHA512

da80d30f4c23a46dd070a2f4c82ec38d883a869d20d1b355fafe395cb30622b97b9455bc75390e80660826ddc8f989216d2c0551c064ff54779ac39b76fa8fbe
SSDEEP

6144:K1y+bnr+xp0yN90QEZQJ/iVjr+vQkoRcVhGWeKmKzTJmfuC37AAUNimgQ3adfJ:jMrxy90Mli1SLFG3EdkmgTJ

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.4.46:33783

Attributes

auth_value
295b226f1b63bcd55148625381b27b19

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

file.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
6028	schtasks.exe
2692	schtasks.exe
3736	schtasks.exe

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1BC4.exe	healer
behavioral2/memory/3644-96-0x00000000008C0000-0x00000000008CA000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\1BC4.exe	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/956-252-0x0000000004B30000-0x000000000541B000-memory.dmp	family_glupteba
behavioral2/memory/956-282-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/956-401-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/956-570-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/956-679-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1BC4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1BC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1BC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1BC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1BC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1BC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1BC4.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1784-141-0x00000000007E0000-0x000000000083A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5164 netsh.exe

pid	process
5164	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

29E1.exekos.exe1DAA.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	29E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	kos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	1DAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 36 IoCs

Processes:

v7878792.exea0843063.exeb3978291.exec7375146.exe1661.exex0151560.exe174D.exex5312124.exex4164560.exex3079184.exeg9947978.exe1A7B.exe1BC4.exe1DAA.exe2089.exeexplothe.exeh7672766.exe29E1.exess41.exe3193.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetoolspub2.execacls.exeset16.exekos.exeis-4KUM5.tmppreviewer.exepreviewer.exeexplothe.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeinjector.exewindefender.exewindefender.exeexplothe.exe

pid	process
3756	v7878792.exe
1508	a0843063.exe
1372	b3978291.exe
4868	c7375146.exe
1368	1661.exe
4392	x0151560.exe
4060	174D.exe
1592	x5312124.exe
3336	x4164560.exe
5036	x3079184.exe
1876	g9947978.exe
464	1A7B.exe
3644	1BC4.exe
3800	1DAA.exe
1784	2089.exe
4984	explothe.exe
4728	h7672766.exe
1588	29E1.exe
4540	ss41.exe
2152	3193.exe
4068	toolspub2.exe
956	31839b57a4f11171d6abc8bbc4451ee4.exe
1932	toolspub2.exe
2700	cacls.exe
4712	set16.exe
2804	kos.exe
2376	is-4KUM5.tmp
1236	previewer.exe
5756	previewer.exe
5892	explothe.exe
5636	31839b57a4f11171d6abc8bbc4451ee4.exe
5472	csrss.exe
5924	injector.exe
5828	windefender.exe
2320	windefender.exe
5540	explothe.exe

Loads dropped DLL 4 IoCs

Processes:

is-4KUM5.tmprundll32.exe

pid process

2376 is-4KUM5.tmp
2376 is-4KUM5.tmp
2376 is-4KUM5.tmp
440 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

1BC4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1BC4.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2376	is-4KUM5.tmp
2376	is-4KUM5.tmp
2376	is-4KUM5.tmp
440	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1BC4.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exev7878792.exe1661.exex0151560.exe31839b57a4f11171d6abc8bbc4451ee4.exex5312124.exex4164560.exex3079184.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7878792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0151560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5312124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4164560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3079184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

a0843063.exeb3978291.exe174D.exeg9947978.exe1A7B.exetoolspub2.exe3193.exe

description	pid	process	target process
PID 1508 set thread context of 456	1508	a0843063.exe	AppLaunch.exe
PID 1372 set thread context of 1580	1372	b3978291.exe	AppLaunch.exe
PID 4060 set thread context of 1632	4060	174D.exe	AppLaunch.exe
PID 1876 set thread context of 532	1876	g9947978.exe	AppLaunch.exe
PID 464 set thread context of 2668	464	1A7B.exe	AppLaunch.exe
PID 4068 set thread context of 1932	4068	toolspub2.exe	toolspub2.exe
PID 2152 set thread context of 1600	2152	3193.exe	vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-4KUM5.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-4KUM5.tmp
File created	C:\Program Files (x86)\PA Previewer\is-QBUD1.tmp	is-4KUM5.tmp
File created	C:\Program Files (x86)\PA Previewer\is-PGEVJ.tmp	is-4KUM5.tmp
File created	C:\Program Files (x86)\PA Previewer\is-A8HUK.tmp	is-4KUM5.tmp
File created	C:\Program Files (x86)\PA Previewer\is-TIP51.tmp	is-4KUM5.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-4KUM5.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-4KUM5.tmp

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5548 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5548	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1268	1508	WerFault.exe	a0843063.exe
3132	1372	WerFault.exe	b3978291.exe
4852	1580	WerFault.exe	AppLaunch.exe
2744	4060	WerFault.exe	174D.exe
3716	1876	WerFault.exe	g9947978.exe
3244	532	WerFault.exe	AppLaunch.exe
1248	464	WerFault.exe	1A7B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exeAppLaunch.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2692 schtasks.exe
6028 schtasks.exe
3736 schtasks.exe

pid	process
2692	schtasks.exe
6028	schtasks.exe
3736	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exewindefender.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
456	AppLaunch.exe
456	AppLaunch.exe
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2572
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

456 AppLaunch.exe
1932 toolspub2.exe

pid	process
2572

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exemsedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1BC4.exe

description	pid	process
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeDebugPrivilege	3644	1BC4.exe
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exemsedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2572

pid	process
2572

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exev7878792.exea0843063.exeb3978291.exe1661.exex0151560.exex5312124.exex4164560.exex3079184.exe174D.exe

description	pid	process	target process
PID 2384 wrote to memory of 3756	2384	file.exe	v7878792.exe
PID 2384 wrote to memory of 3756	2384	file.exe	v7878792.exe
PID 2384 wrote to memory of 3756	2384	file.exe	v7878792.exe
PID 3756 wrote to memory of 1508	3756	v7878792.exe	a0843063.exe
PID 3756 wrote to memory of 1508	3756	v7878792.exe	a0843063.exe
PID 3756 wrote to memory of 1508	3756	v7878792.exe	a0843063.exe
PID 1508 wrote to memory of 4756	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 4756	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 4756	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 1508 wrote to memory of 456	1508	a0843063.exe	AppLaunch.exe
PID 3756 wrote to memory of 1372	3756	v7878792.exe	b3978291.exe
PID 3756 wrote to memory of 1372	3756	v7878792.exe	b3978291.exe
PID 3756 wrote to memory of 1372	3756	v7878792.exe	b3978291.exe
PID 1372 wrote to memory of 4204	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 4204	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 4204	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 1372 wrote to memory of 1580	1372	b3978291.exe	AppLaunch.exe
PID 2384 wrote to memory of 4868	2384	file.exe	c7375146.exe
PID 2384 wrote to memory of 4868	2384	file.exe	c7375146.exe
PID 2384 wrote to memory of 4868	2384	file.exe	c7375146.exe
PID 2572 wrote to memory of 1368	2572		1661.exe
PID 2572 wrote to memory of 1368	2572		1661.exe
PID 2572 wrote to memory of 1368	2572		1661.exe
PID 1368 wrote to memory of 4392	1368	1661.exe	x0151560.exe
PID 1368 wrote to memory of 4392	1368	1661.exe	x0151560.exe
PID 1368 wrote to memory of 4392	1368	1661.exe	x0151560.exe
PID 2572 wrote to memory of 4060	2572		174D.exe
PID 2572 wrote to memory of 4060	2572		174D.exe
PID 2572 wrote to memory of 4060	2572		174D.exe
PID 4392 wrote to memory of 1592	4392	x0151560.exe	x5312124.exe
PID 4392 wrote to memory of 1592	4392	x0151560.exe	x5312124.exe
PID 4392 wrote to memory of 1592	4392	x0151560.exe	x5312124.exe
PID 2572 wrote to memory of 864	2572		RuntimeBroker.exe
PID 2572 wrote to memory of 864	2572		RuntimeBroker.exe
PID 1592 wrote to memory of 3336	1592	x5312124.exe	x4164560.exe
PID 1592 wrote to memory of 3336	1592	x5312124.exe	x4164560.exe
PID 1592 wrote to memory of 3336	1592	x5312124.exe	x4164560.exe
PID 3336 wrote to memory of 5036	3336	x4164560.exe	x3079184.exe
PID 3336 wrote to memory of 5036	3336	x4164560.exe	x3079184.exe
PID 3336 wrote to memory of 5036	3336	x4164560.exe	x3079184.exe
PID 5036 wrote to memory of 1876	5036	x3079184.exe	g9947978.exe
PID 5036 wrote to memory of 1876	5036	x3079184.exe	g9947978.exe
PID 5036 wrote to memory of 1876	5036	x3079184.exe	g9947978.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe
PID 4060 wrote to memory of 1632	4060	174D.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7878792.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7878792.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0843063.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0843063.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 584
      4⤵
      Program crash
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3978291.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3978291.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 540
        5⤵
        Program crash
        
        PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 148
      4⤵
      Program crash
      PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7375146.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7375146.exe
  2⤵
  - Executes dropped EXE
  PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1508 -ip 1508
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1372 -ip 1372
1⤵
PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1580 -ip 1580
1⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\1661.exe
C:\Users\Admin\AppData\Local\Temp\1661.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 540
        8⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 152
        7⤵
        Program crash
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
        6⤵
        Executes dropped EXE
        
        PID:4728

C:\Users\Admin\AppData\Local\Temp\174D.exe
C:\Users\Admin\AppData\Local\Temp\174D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 264
  2⤵
  - Program crash
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18A6.bat" "
1⤵
PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
    3⤵
    PID:6036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:1284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15038974761180976733,5206163932426058078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
    3⤵
    PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4ace46f8,0x7fff4ace4708,0x7fff4ace4718
    3⤵
    PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4060 -ip 4060
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\1A7B.exe
C:\Users\Admin\AppData\Local\Temp\1A7B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 272
  2⤵
  - Program crash
  PID:1248

C:\Users\Admin\AppData\Local\Temp\1BC4.exe
C:\Users\Admin\AppData\Local\Temp\1BC4.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1876 -ip 1876
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 532 -ip 532
1⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\1DAA.exe
C:\Users\Admin\AppData\Local\Temp\1DAA.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3800
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      Executes dropped EXE
      PID:2700
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3440
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 464 -ip 464
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\2089.exe
C:\Users\Admin\AppData\Local\Temp\2089.exe
1⤵
- Executes dropped EXE
PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2089.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4317788066136901671,14492468989528176832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
    3⤵
    PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2089.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4ace46f8,0x7fff4ace4708,0x7fff4ace4718
    3⤵
    PID:6076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:1288
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17214901854572059968,18080149207880820261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
    3⤵
    PID:6128

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
1⤵
- Executes dropped EXE
PID:956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:5636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:5124
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:5616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3804
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    PID:5472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6132
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5124
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:6028
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:3904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      PID:5924
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2744
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3736
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      PID:5828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5104
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:5548

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4068
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4ace46f8,0x7fff4ace4708,0x7fff4ace4718
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\set16.exe
  "C:\Users\Admin\AppData\Local\Temp\set16.exe"
  2⤵
  - Executes dropped EXE
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\is-RTH5J.tmp\is-4KUM5.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RTH5J.tmp\is-4KUM5.tmp" /SL4 $D002E "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2376
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 8
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        5⤵
        
        PID:5748
  - - C:\Program Files (x86)\PA Previewer\previewer.exe
      "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
      4⤵
      Executes dropped EXE
      PID:1236
  - - C:\Program Files (x86)\PA Previewer\previewer.exe
      "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
      4⤵
      Executes dropped EXE
      PID:5756
- C:\Users\Admin\AppData\Local\Temp\kos.exe
  "C:\Users\Admin\AppData\Local\Temp\kos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2804

C:\Users\Admin\AppData\Local\Temp\3193.exe
C:\Users\Admin\AppData\Local\Temp\3193.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2152

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Local\Temp\29E1.exe
C:\Users\Admin\AppData\Local\Temp\29E1.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4ace46f8,0x7fff4ace4708,0x7fff4ace4718
1⤵
PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2320

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a51b2d14083d3036ce8a74898e4ac3e8

SHA1
182bdd385bde996e006161e329b09499629a425f

SHA256
59cb42412926608d86ea4746fa3bb07827ba9e9bed88cc40d033d04c80d3ea32

SHA512
d92198f32861a0ee8ab00a80b7685a2d5ee110ab9a845b059d0ba5781c62f77d6afc5df82a33c45a4424edf268c9628844301235ad139d56d7015ed296d7daed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a194a9fc86b6454c50b84985629a7222

SHA1
ea985f71607afc0ad19b485df57722ffb7e4e4c4

SHA256
8a169519aa58e446c5d346b307186131a33dac9eb8a154c8ece858bb1bba39ff

SHA512
d11f3fc36bc633acdcf0f37a90233f6f9e819a05caaaa753e47e2c0f5e42cf3bbd730e232f01d12d45eb0d5c6a20173d339baa434c3e2e588dc4f43a58670b60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
b8b6f7f95251f922e34edc7f11dc7115

SHA1
008a6ca136a4966e381969539e0038f0a007eb82

SHA256
a0d2e567486079b5afbba907a265bd234146468a7b3a639a60733d6741785cb6

SHA512
1dea45f23f70e3eaf65997d182c25f40e17401a1c69f1ad42fbafed6a0b47f6771da15a6cbfae797842e77ac70f35251f66c8eca814dafc22089a0bd5de906a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
36252257fc46ee062b696eabda206cf5

SHA1
93d0573081b9d6d77839451f312e19117decfd50

SHA256
f04ea6156932724ae2f939dec962c70cce5db268f3932f1f0e8ae8e664211609

SHA512
1ca5c7a78b144742672abc0bf11c5117aefde5d3d5927505452e5df14ae702490cc423bb1fc1fbb2558266931a2e5fde932a3fbe44981fc99e3cb78a5d9038b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
709B

MD5
f5d1af62ec298173424b9a9fb0616e69

SHA1
2c80ec2f8fd8b0d46ae2771a7e88cbc8f5195568

SHA256
60bc49797bf8324a59e49ba4961bb320248e00b4807b9f3a13fec27450a0d7c8

SHA512
aba24fcf26dbef21bcd3af2df749931243c5a78c1da947e445e327e67a117e8c96769f22cb2240d6410bff6b0408b7dc7b2865c0b18b111d7c924f82e1517e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
800B

MD5
b0998fbf58f928aada3de4c6c6530a41

SHA1
8910ac4e5bb2a85ad31bf914a571f4e6a0760f3b

SHA256
7e7dd0bd4c6ec00f65374475fb4373f2e840c63420d2c29ffd8fe8bff5236b18

SHA512
5e802667bac71bd1172d386c5adde0618fc100811a548efd4e4e712f66c7bbe5c46c824661c9b1edc7ecee5633800b5a468cb3fa21aede0fdbe6d0311a78c9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a59b20f9b6740b450a040823b731340a

SHA1
c54c40479740527deb9d9bd437c7f7689ad4b602

SHA256
e2ed7d0506cb5692b232388ff5d9db2bc4a9caf575afdeb56156beb4143e8330

SHA512
927f19bc112c326a6bd18632227b564b330589ce8c8481ff43a59d297190fe7dcd351c2151eb9ef22a2a28bddabb20a4c22b8e4842f96256f3683d1e227bc876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b7951d19f58f66adb76925526e17218

SHA1
3a84bd1d3d646258778a185f2103dff96e9bcd45

SHA256
2ec0173cca0e3277a9b85aac9d38d3abc2a163d75f99ceb228684f5a5041d4ae

SHA512
f26c95fd96936503d11e89295f5cbf528461d2aec5f2f253c68dfe8bf77bbc5b8fc687fdf0bc41457dc9ac978a3e31ee4979a242a2904b77dc38353eb38e49e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3bcef01c9693211f107f3b4a75e3f7dc

SHA1
0a655ac77408736737294d0b7376b9ad0fd252df

SHA256
5c56cb0c32558df6376810d2f3fcdc42b76338b8ea28a55c59b58a7a6d8602ac

SHA512
413b7c16d4e59a509aaf74a0f460f5ef67f0448aa3c35cf72e71068d35d78e857536c516211caf82e1843d4049a6b1a39e950329d1015925ebc7ea4385ac43b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80b468f8c424c4f0948404c9af53dc59

SHA1
e15a0ee1397eef1ea9b0e1a033548fe0764c2c51

SHA256
1695843dda70f632103e9a07a03b9b3841c01cb273b547069d2aad9292fe4794

SHA512
838b73988d8688fb7a2a34b1dd235d0bdfa8fca25ac32943f9be8f19f5a503eb551e0d02e8e1635054da0556fa4e93e9f28c6c4d18170b67c20d91268870f639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b690c7643af8bf5f3a96b59e33522135

SHA1
204ca48a942ecba4d2f2ef844275c3f5905ed453

SHA256
4577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695

SHA512
f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
4726f46c1d353bb123efe4993d747509

SHA1
6a7022727594b0f6d1f860917c31887be8ddccba

SHA256
e7649f1bec8247554cf866cd9e6c1b84ff02d3e7df556a54fc3f524bc898ba73

SHA512
dcf11d7505617fcbd4b9ac55ee7ef3fb36dfa679d50409eb703b4a86d175f9425fa156e05331d4335f4d9002a9ae5528d02d8a0d41f7c38432f5dfaf5df5f3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ea51dae718727a4198ce2861e3b8968d

SHA1
7185f63eb7ba18428e7d2af8946dd6d467f5b2ce

SHA256
626a3ee0f9eada4825f1e23e660b4dde5850854b4406c8385fa939fd08abd4ec

SHA512
1b489669479122560cee55a0bfb3df4630f43faed208a9853112e3af5e117ba04f2adcb68b3d312d6a12536373814f04b6126cb4de7cca5405482e397a053ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1dbbebcee32545838c7db17cf3abed7f

SHA1
d81040e25336e459181ce281bc776c059ddf8868

SHA256
09162f98f2182b0642369f60b2088b5d4661caa2a3ea3d4bf722bc9e6eb36fb4

SHA512
56ae6f36bba99ea1e3fc43e836ee3ca9a2a87295bbb799dafe2e07d7bf0671f45110d4e86c9e9b0b43a95ad58e49ae4e51c0b94855311ddfdf0da2419e5c0905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
895592f9ca11468a64476d7589add2e0

SHA1
22cc35d1f94442eae86fd1fd7d9797885abc034c

SHA256
6c1115fa58cd2b8d3c473151f2bbc0cdd74266b16c9d9c18f5261ad2f9f2393b

SHA512
9f2db2aa63b4dccc7f5e048d497353e8e1a6d4377f3293376265c793be092c1546ba896a85bb8093df7984c8317275351196e47a8e583858e09c5e5d2fc8091a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e2bb1c443f9b7425ac9d2e0c7784a3c7

SHA1
0afb3b16d4f3edc0251caca396830f28d3d35fa4

SHA256
88d09bd56d83e0c4282fd56e21e1a29a2600243d517cc16dd9e1fe031cbd284e

SHA512
96755f040843c7b268f554124d6efdd293547396305289a739dfa4f2bdd6715dc5f1d1d903b096d57fbe0aaafdc0eb33e937fb2857e7b09803f74f6393a09ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1661.exe

Filesize
1.0MB

MD5
4b40718893333aef8f222bb64a26d71a

SHA1
d7e2627b5bbad2b3b1d21d7af194289fe2f6f4a1

SHA256
8f45d7623fe6020ead49c5a608d4a53e5d15b98c8d4518fc215f9659d26c284e

SHA512
370ceb63434b65619f070873b08e42e5674010adc44b54d8c5469804168f6907c030e0f4b345cc2349625df66a1c4a83818a2f8a4f4bb66259dd2d76da47de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1661.exe

Filesize
1.0MB

MD5
4b40718893333aef8f222bb64a26d71a

SHA1
d7e2627b5bbad2b3b1d21d7af194289fe2f6f4a1

SHA256
8f45d7623fe6020ead49c5a608d4a53e5d15b98c8d4518fc215f9659d26c284e

SHA512
370ceb63434b65619f070873b08e42e5674010adc44b54d8c5469804168f6907c030e0f4b345cc2349625df66a1c4a83818a2f8a4f4bb66259dd2d76da47de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\174D.exe

Filesize
276KB

MD5
36580bf86d3df87ccd923183d274ebf9

SHA1
b7dbe05df051579308d4ae89b0f05e0a0cda4577

SHA256
99e958e9d9c5c496b7929e6776e9fecf46bc786e45ab7273f4cf2ddc9e0c5b4c

SHA512
aeed09f98d85464c6b1fa054bc2b12bc58863ea2c2a5b57676f2edbbea044f0bb0f67a9274d629b180a8f174018bb287353d7660d53621e07622e5e6d05a3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\174D.exe

Filesize
276KB

MD5
36580bf86d3df87ccd923183d274ebf9

SHA1
b7dbe05df051579308d4ae89b0f05e0a0cda4577

SHA256
99e958e9d9c5c496b7929e6776e9fecf46bc786e45ab7273f4cf2ddc9e0c5b4c

SHA512
aeed09f98d85464c6b1fa054bc2b12bc58863ea2c2a5b57676f2edbbea044f0bb0f67a9274d629b180a8f174018bb287353d7660d53621e07622e5e6d05a3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\18A6.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A7B.exe

Filesize
310KB

MD5
b1076978d5ee4be765e8a49dcf8fea57

SHA1
2c29733e7369d1be3578130d704c498041af30c4

SHA256
8bc9fa85bb9a2878b231c8cf656f66a5aaa30f6c9b54f24ff0a2d84f0272c955

SHA512
aec4345faa2e3e5dc80cc59259dfa9bef5adc03a96bb846d3de89969d8e788499f63369bb811f4dcbfe74d93c36fa1c10c80165c2f40327480f883543dc6d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A7B.exe

Filesize
310KB

MD5
b1076978d5ee4be765e8a49dcf8fea57

SHA1
2c29733e7369d1be3578130d704c498041af30c4

SHA256
8bc9fa85bb9a2878b231c8cf656f66a5aaa30f6c9b54f24ff0a2d84f0272c955

SHA512
aec4345faa2e3e5dc80cc59259dfa9bef5adc03a96bb846d3de89969d8e788499f63369bb811f4dcbfe74d93c36fa1c10c80165c2f40327480f883543dc6d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BC4.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BC4.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DAA.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DAA.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\2089.exe

Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2089.exe

Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E1.exe

Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E1.exe

Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3193.exe

Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\3193.exe

Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7375146.exe

Filesize
24KB

MD5
a4596e3fd5d74d35c55350407711de80

SHA1
807e014998aed195bb99ee1a4032a90c3bd7145f

SHA256
f9b9ae13c80ea3ca1f9b2305dbd044e8437b5bcadd20e66b8221418d5f1d9628

SHA512
89b731e48a6932f12dc8a8f2ef7c083863253707618391cc2e73e8297b922885a34eae458d98a95bc2f13d2eaf2720af26f793fbdb11955c63a4aae3de930bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7375146.exe

Filesize
24KB

MD5
a4596e3fd5d74d35c55350407711de80

SHA1
807e014998aed195bb99ee1a4032a90c3bd7145f

SHA256
f9b9ae13c80ea3ca1f9b2305dbd044e8437b5bcadd20e66b8221418d5f1d9628

SHA512
89b731e48a6932f12dc8a8f2ef7c083863253707618391cc2e73e8297b922885a34eae458d98a95bc2f13d2eaf2720af26f793fbdb11955c63a4aae3de930bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3493954.exe

Filesize
23KB

MD5
77db413ae4fec32a49abafe781566b4a

SHA1
fc6112c376d19da27e59693971e33b740922d248

SHA256
348579c873e04e40d4b2f57135969ae00d33336dd7579769f7268bf3f0d03aac

SHA512
bc254e9561e34fcb335d1ed4c32491c5350f6aebab95c45f14962b21e42cc8bebe6869362bc9d3cb5ce08424dd8d904a77ebec79612db425b35c103336455440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7878792.exe

Filesize
325KB

MD5
210eb03732445e8235b7483652787f25

SHA1
35a7cb4166a2d856f7bbe7ddfd0c40749960583b

SHA256
27176ef2a6bbeae3181ab05af1293d21299fb7e39dcd50f46392974c10f2c728

SHA512
2abb5f00b6887f99e2a13c4da091e45b32ff82abab07a7c0a9c9a075f8fd73ce145be3b7adaf273dbb6df791c06e4f5102adb941f3b3971be526742769c69d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7878792.exe

Filesize
325KB

MD5
210eb03732445e8235b7483652787f25

SHA1
35a7cb4166a2d856f7bbe7ddfd0c40749960583b

SHA256
27176ef2a6bbeae3181ab05af1293d21299fb7e39dcd50f46392974c10f2c728

SHA512
2abb5f00b6887f99e2a13c4da091e45b32ff82abab07a7c0a9c9a075f8fd73ce145be3b7adaf273dbb6df791c06e4f5102adb941f3b3971be526742769c69d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe

Filesize
930KB

MD5
ddee606bcadb4ef045544138ec65ff26

SHA1
e638e86518d372e6507e378a6b80433625327b29

SHA256
c5424b8849311e071c5c706bd5daa9b00445fbc7ec0a375b6a73defc62f047d4

SHA512
2fcaff7990cd3b96ccffabe7b0b729f99924c1e73874862776307bdfbcececd6e5cbe3cfd7d48b5f45f33de3f2a067d249766f80a9448119b555d9fd6787428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe

Filesize
930KB

MD5
ddee606bcadb4ef045544138ec65ff26

SHA1
e638e86518d372e6507e378a6b80433625327b29

SHA256
c5424b8849311e071c5c706bd5daa9b00445fbc7ec0a375b6a73defc62f047d4

SHA512
2fcaff7990cd3b96ccffabe7b0b729f99924c1e73874862776307bdfbcececd6e5cbe3cfd7d48b5f45f33de3f2a067d249766f80a9448119b555d9fd6787428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0843063.exe

Filesize
166KB

MD5
d9276c7b6211bd8945e156242f43884c

SHA1
57f34d1f774463ead5a88f0df48d5ceffc2e6369

SHA256
89b16b9cbf69f66ed4a806249056caf2ed1795cbc5ed5bb6b5e64b0c48581229

SHA512
83cdacebb14bef60be2a404b7ffc14993aa6b365c77b1c75ba6d757a5c165aeb62c430ea15a58dc47b5af45ca72e91412d9f676038a107ebfe7347eab09ce88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0843063.exe

Filesize
166KB

MD5
d9276c7b6211bd8945e156242f43884c

SHA1
57f34d1f774463ead5a88f0df48d5ceffc2e6369

SHA256
89b16b9cbf69f66ed4a806249056caf2ed1795cbc5ed5bb6b5e64b0c48581229

SHA512
83cdacebb14bef60be2a404b7ffc14993aa6b365c77b1c75ba6d757a5c165aeb62c430ea15a58dc47b5af45ca72e91412d9f676038a107ebfe7347eab09ce88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3978291.exe

Filesize
276KB

MD5
a13cef463e1f98e852f57dbbd96ea9b8

SHA1
ca1efebbc485a738b90c281cb39336e985daede2

SHA256
e44630cefc1e521ce7e73c7123149b38fe457fcbfccb834f5ed6c58a02463dce

SHA512
218783fbe2634ba41c35048458ad3c47ac240024bf45d6554f3f57204de3d3b3276efdd49142e5277ea0d4b88e1a42c203f5e54073125471dfd7581cc38b88be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3978291.exe

Filesize
276KB

MD5
a13cef463e1f98e852f57dbbd96ea9b8

SHA1
ca1efebbc485a738b90c281cb39336e985daede2

SHA256
e44630cefc1e521ce7e73c7123149b38fe457fcbfccb834f5ed6c58a02463dce

SHA512
218783fbe2634ba41c35048458ad3c47ac240024bf45d6554f3f57204de3d3b3276efdd49142e5277ea0d4b88e1a42c203f5e54073125471dfd7581cc38b88be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe

Filesize
747KB

MD5
f05ed256cd058d1e1f402330a0844da6

SHA1
fd9ab1c2096b19093bbca4bf1454ad2297b715fd

SHA256
ceceffbcc7a69d14e28c775bd5638ab89b82135a35215c6bca3c43d53ea6705b

SHA512
ea7eeeacf031bf7a492402c4d12de8e7f52c959e02c7b4958e9610613edf3cdc37dd399dc5b8f1b09bf01ccb94bfc6d784850395d3ef6fbe45411a3f4ff9b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe

Filesize
747KB

MD5
f05ed256cd058d1e1f402330a0844da6

SHA1
fd9ab1c2096b19093bbca4bf1454ad2297b715fd

SHA256
ceceffbcc7a69d14e28c775bd5638ab89b82135a35215c6bca3c43d53ea6705b

SHA512
ea7eeeacf031bf7a492402c4d12de8e7f52c959e02c7b4958e9610613edf3cdc37dd399dc5b8f1b09bf01ccb94bfc6d784850395d3ef6fbe45411a3f4ff9b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe

Filesize
516KB

MD5
87b4c0570ce64b120c2cc6c2b848f8ac

SHA1
028a2228429e0b29b14e59a4cf5eb649f23bd4b3

SHA256
111403e2b1489acd64d6c81f470359e002f914aee5e0d8cfc59a0ba079d90609

SHA512
75013a3120403e2de7051d6fef31ff4370082080f1ea1dc438a2dc2ae2dba314ad35c315447687f8ba26ce3308b26ae739bb23be810e43bd936bad022f5f332b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe

Filesize
516KB

MD5
87b4c0570ce64b120c2cc6c2b848f8ac

SHA1
028a2228429e0b29b14e59a4cf5eb649f23bd4b3

SHA256
111403e2b1489acd64d6c81f470359e002f914aee5e0d8cfc59a0ba079d90609

SHA512
75013a3120403e2de7051d6fef31ff4370082080f1ea1dc438a2dc2ae2dba314ad35c315447687f8ba26ce3308b26ae739bb23be810e43bd936bad022f5f332b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe

Filesize
350KB

MD5
9be0cc653a06e9f37747a1fb7168113c

SHA1
37c247216f9be8f5ca629f9e498eddc51ff4ff8f

SHA256
4c8e414605f66cdda6c419af34b3a69f5c92d9f77796fa99bd137f1ca8505329

SHA512
92059e5df93b9e7922bc98d47546b32ba54fdaa1c596cf3fd2758364da439f40c2e14f63e5832a63f893ddf47ae6a35c656479bfac924c836bf3418791f2cc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe

Filesize
350KB

MD5
9be0cc653a06e9f37747a1fb7168113c

SHA1
37c247216f9be8f5ca629f9e498eddc51ff4ff8f

SHA256
4c8e414605f66cdda6c419af34b3a69f5c92d9f77796fa99bd137f1ca8505329

SHA512
92059e5df93b9e7922bc98d47546b32ba54fdaa1c596cf3fd2758364da439f40c2e14f63e5832a63f893ddf47ae6a35c656479bfac924c836bf3418791f2cc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe

Filesize
276KB

MD5
bc5d6c21c9ba272735e4490ba056407e

SHA1
27f5715ab1f899cefc7935e02709f5f7392f1c5d

SHA256
1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c

SHA512
e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe

Filesize
276KB

MD5
bc5d6c21c9ba272735e4490ba056407e

SHA1
27f5715ab1f899cefc7935e02709f5f7392f1c5d

SHA256
1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c

SHA512
e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe

Filesize
174KB

MD5
aa7375d73dd3ea72bb012c59e46d9f55

SHA1
5dd990107051cf5d337d6edebce430b18315f703

SHA256
99500a327ecbbc8bc43d135638933b2531d7341333a6a9ef3c84e5523556e78a

SHA512
d266e388b96cd5820616f326c064207de7a42678a4977aba635ebfe582bc19654902fad4d87e81d9e15f4e8596251e8411bdea771f8e6bad610fffee4cfd95a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe

Filesize
174KB

MD5
aa7375d73dd3ea72bb012c59e46d9f55

SHA1
5dd990107051cf5d337d6edebce430b18315f703

SHA256
99500a327ecbbc8bc43d135638933b2531d7341333a6a9ef3c84e5523556e78a

SHA512
d266e388b96cd5820616f326c064207de7a42678a4977aba635ebfe582bc19654902fad4d87e81d9e15f4e8596251e8411bdea771f8e6bad610fffee4cfd95a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vpjaulos.dd2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUNIC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUNIC.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUNIC.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTH5J.tmp\is-4KUM5.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTH5J.tmp\is-4KUM5.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
\??\pipe\LOCAL\crashpad_5108_ANKENJFDFFGFHBHC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/456-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/456-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-95-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-92-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-99-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/956-282-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/956-252-0x0000000004B30000-0x000000000541B000-memory.dmp

Filesize
8.9MB

Download
memory/956-679-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/956-249-0x0000000004720000-0x0000000004B28000-memory.dmp

Filesize
4.0MB

Download
memory/956-401-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/956-570-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1236-344-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1236-369-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1236-351-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1580-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1580-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1580-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1580-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1600-285-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1600-270-0x0000000002AB0000-0x0000000002AB6000-memory.dmp

Filesize
24KB

Download
memory/1600-309-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/1600-236-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1632-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1632-86-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1632-88-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1632-107-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1784-168-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-141-0x00000000007E0000-0x000000000083A000-memory.dmp

Filesize
360KB

Download
memory/1784-286-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1932-218-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1932-225-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1932-320-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2152-258-0x0000000000A30000-0x0000000000BED000-memory.dmp

Filesize
1.7MB

Download
memory/2152-273-0x0000000000A30000-0x0000000000BED000-memory.dmp

Filesize
1.7MB

Download
memory/2152-192-0x0000000000A30000-0x0000000000BED000-memory.dmp

Filesize
1.7MB

Download
memory/2376-406-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2376-316-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2572-140-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-152-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-144-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-154-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-159-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-233-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2572-27-0x0000000003250000-0x0000000003266000-memory.dmp

Filesize
88KB

Download
memory/2572-163-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-166-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2572-235-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2572-137-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-234-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2572-136-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-132-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-176-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-175-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-129-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-167-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-153-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2572-150-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-164-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-123-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2572-117-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-116-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-317-0x0000000007700000-0x0000000007716000-memory.dmp

Filesize
88KB

Download
memory/2572-134-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2572-161-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2572-120-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2668-121-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2668-169-0x0000000005650000-0x000000000569C000-memory.dmp

Filesize
304KB

Download
memory/2668-283-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/2668-230-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2668-160-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/2668-174-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/2668-155-0x0000000005A50000-0x0000000006068000-memory.dmp

Filesize
6.1MB

Download
memory/2668-108-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2668-124-0x0000000002E30000-0x0000000002E36000-memory.dmp

Filesize
24KB

Download
memory/2700-232-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2700-281-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2700-226-0x0000000000100000-0x0000000000274000-memory.dmp

Filesize
1.5MB

Download
memory/2804-284-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/2804-276-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2804-306-0x00007FFF4DAB0000-0x00007FFF4E571000-memory.dmp

Filesize
10.8MB

Download
memory/3644-96-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/3644-318-0x00007FFF4DAB0000-0x00007FFF4E571000-memory.dmp

Filesize
10.8MB

Download
memory/3644-100-0x00007FFF4DAB0000-0x00007FFF4E571000-memory.dmp

Filesize
10.8MB

Download
memory/3644-228-0x00007FFF4DAB0000-0x00007FFF4E571000-memory.dmp

Filesize
10.8MB

Download
memory/4068-214-0x0000000002610000-0x0000000002710000-memory.dmp

Filesize
1024KB

Download
memory/4068-216-0x0000000002600000-0x0000000002609000-memory.dmp

Filesize
36KB

Download
memory/4540-189-0x00007FF7114D0000-0x00007FF71153A000-memory.dmp

Filesize
424KB

Download
memory/4712-302-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4712-257-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4728-127-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/4728-133-0x0000000002860000-0x0000000002866000-memory.dmp

Filesize
24KB

Download
memory/4728-135-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4728-165-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/4728-222-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4728-157-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/5756-389-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5756-661-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download