d87f723d17e0397593ea7560d6a0938e25cddcbc77b9128b90f8a1c871665ef8

Resubmissions

15-11-2023 15:28

231115-swlvbach2z 8

15-11-2023 15:23

231115-ssm8zabf47 8

Analysis

max time kernel
268s
max time network
336s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cibfts.rar
Size

912KB
MD5

ee6ddecf17318eb513fdee1c0b831e43
SHA1

cab714cbcbb90657c36cbc38523c91694fea2bd7
SHA256

d87f723d17e0397593ea7560d6a0938e25cddcbc77b9128b90f8a1c871665ef8
SHA512

5bdf541ea74dcb8a2d60be015ee67aa134f6be5f41ebf76c6d768aa3914e61938396371b5ffaa6e54086381e0f1937fa9299da36404e79baa15d68c275f72ab3
SSDEEP

24576:+5R5BbqQPYE9vKVHLMGkBvwDgcPUu9eF3NRuLj:+5P4cYE9vKVHgGkBUdsxZNRun

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Equil.exe

Executes dropped EXE 2 IoCs

pid	Process
5292	stupidthing200.exe
2836	Equil.exe

Loads dropped DLL 10 IoCs

pid	Process
5292	stupidthing200.exe
5292	stupidthing200.exe
5292	stupidthing200.exe
5292	stupidthing200.exe
5292	stupidthing200.exe
2836	Equil.exe
2836	Equil.exe
2836	Equil.exe
2836	Equil.exe
2836	Equil.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	Equil.exe
File opened (read-only)	\??\D:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350690463-3549324357-1323838019-1000\{7AE4FA1B-22F8-48B6-9640-E2AF3654027B}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4696	powershell_ise.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5552	7zG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5552	7zG.exe
Token: 35	5552	7zG.exe
Token: SeSecurityPrivilege	5552	7zG.exe
Token: SeRestorePrivilege	4980	7zG.exe
Token: 35	4980	7zG.exe
Token: SeSecurityPrivilege	4980	7zG.exe
Token: SeSecurityPrivilege	4980	7zG.exe
Token: SeShutdownPrivilege	5292	stupidthing200.exe
Token: SeShutdownPrivilege	2836	Equil.exe
Token: 33	5184	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5184	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	952	mstsc.exe
Token: SeSecurityPrivilege	952	mstsc.exe
Token: SeTakeOwnershipPrivilege	952	mstsc.exe
Token: SeLoadDriverPrivilege	952	mstsc.exe
Token: SeSystemProfilePrivilege	952	mstsc.exe
Token: SeSystemtimePrivilege	952	mstsc.exe
Token: SeProfSingleProcessPrivilege	952	mstsc.exe
Token: SeIncBasePriorityPrivilege	952	mstsc.exe
Token: SeCreatePagefilePrivilege	952	mstsc.exe
Token: SeBackupPrivilege	952	mstsc.exe
Token: SeRestorePrivilege	952	mstsc.exe
Token: SeShutdownPrivilege	952	mstsc.exe
Token: SeDebugPrivilege	952	mstsc.exe
Token: SeSystemEnvironmentPrivilege	952	mstsc.exe
Token: SeRemoteShutdownPrivilege	952	mstsc.exe
Token: SeUndockPrivilege	952	mstsc.exe
Token: SeManageVolumePrivilege	952	mstsc.exe
Token: 33	952	mstsc.exe
Token: 34	952	mstsc.exe
Token: 35	952	mstsc.exe
Token: 36	952	mstsc.exe
Token: SeDebugPrivilege	4696	powershell_ise.exe
Token: SeIncreaseQuotaPrivilege	952	mstsc.exe
Token: SeSecurityPrivilege	952	mstsc.exe
Token: SeTakeOwnershipPrivilege	952	mstsc.exe
Token: SeLoadDriverPrivilege	952	mstsc.exe
Token: SeSystemProfilePrivilege	952	mstsc.exe
Token: SeSystemtimePrivilege	952	mstsc.exe
Token: SeProfSingleProcessPrivilege	952	mstsc.exe
Token: SeIncBasePriorityPrivilege	952	mstsc.exe
Token: SeCreatePagefilePrivilege	952	mstsc.exe
Token: SeBackupPrivilege	952	mstsc.exe
Token: SeRestorePrivilege	952	mstsc.exe
Token: SeShutdownPrivilege	952	mstsc.exe
Token: SeDebugPrivilege	952	mstsc.exe
Token: SeSystemEnvironmentPrivilege	952	mstsc.exe
Token: SeRemoteShutdownPrivilege	952	mstsc.exe
Token: SeUndockPrivilege	952	mstsc.exe
Token: SeManageVolumePrivilege	952	mstsc.exe
Token: 33	952	mstsc.exe
Token: 34	952	mstsc.exe
Token: 35	952	mstsc.exe
Token: 36	952	mstsc.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
5552	7zG.exe
4980	7zG.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	OpenWith.exe
3708	StartMenuExperienceHost.exe
3780	SearchApp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4696	2836	Equil.exe	121
PID 2836 wrote to memory of 4696	2836	Equil.exe	121
PID 2836 wrote to memory of 952	2836	Equil.exe	161
PID 2836 wrote to memory of 952	2836	Equil.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cibfts.rar
1⤵
- Modifies registry class
PID:1276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5784

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap7389:92:7zEvent5540
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5552

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\cibfts\" -spe -an -ai#7zMap26736:92:7zEvent6923
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4980

C:\Users\Admin\AppData\Local\Temp\cibfts\equil\stupidthing200.exe
"C:\Users\Admin\AppData\Local\Temp\cibfts\equil\stupidthing200.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Users\Admin\AppData\Local\Temp\cibfts\equil\Equil.exe
"C:\Users\Admin\AppData\Local\Temp\cibfts\equil\Equil.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" àâæçèêëïîôœ€àâæàâæê
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\System32\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" process where name='explorer.exe' delete
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.roblox.com/users/3456785112/profile https://www.youtube.com/watch?v=p_SWXJvF1vw https://www.youtube.com/watch?v=p_SWXJvF1vw https://www.roblox.com/users/2200940330/profile https://www.roblox.com/users/2200940330/profile
  2⤵
  PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb3d0746f8,0x7ffb3d074708,0x7ffb3d074718
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
    3⤵
    PID:5364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:5640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
    3⤵
    PID:6468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
    3⤵
    PID:6460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
    3⤵
    PID:7000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:6992
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7352 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7352 /prefetch:8
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10315589498811597740,12618575444212723343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
    3⤵
    PID:6752
- C:\Windows\System32\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:4780
- C:\Windows\System32\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  PID:4552
- C:\Windows\System32\tabcal.exe
  "C:\Windows\System32\tabcal.exe" /4
  2⤵
  PID:4204
- C:\Windows\System32\mstsc.exe
  "C:\Windows\System32\mstsc.exe" -v Iæêgæêd_æêîæêî_alloca
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Program Files\Common Files\microsoft shared\ink\mip.exe
  "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:1832
- C:\Program Files\Common Files\microsoft shared\ink\mip.exe
  "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:1236
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" <
  2⤵
  PID:5816
- C:\Windows\System32\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe" <
  2⤵
  PID:1064
- C:\Windows\System32\msra.exe
  "C:\Windows\System32\msra.exe" <
  2⤵
  PID:5392
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe" <
  2⤵
  PID:3896
- C:\Windows\System32\wusa.exe
  "C:\Windows\System32\wusa.exe" <
  2⤵
  PID:112
- C:\Windows\System32\recdisc.exe
  "C:\Windows\System32\recdisc.exe" <
  2⤵
  PID:4432
- C:\Windows\System32\bdeunlock.exe
  "C:\Windows\System32\bdeunlock.exe" <
  2⤵
  PID:116
- C:\Windows\System32\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe" <
  2⤵
  PID:6520
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" <
  2⤵
  PID:7104
- C:\Windows\System32\msra.exe
  "C:\Windows\System32\msra.exe" <
  2⤵
  PID:6636
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe" <
  2⤵
  PID:6672
- C:\Windows\System32\wusa.exe
  "C:\Windows\System32\wusa.exe" <
  2⤵
  PID:6436
- C:\Windows\System32\recdisc.exe
  "C:\Windows\System32\recdisc.exe" <
  2⤵
  PID:6076
- C:\Windows\System32\bdeunlock.exe
  "C:\Windows\System32\bdeunlock.exe" <
  2⤵
  PID:2068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
740d5efbbe21e49b08e78a63a4f47b00

SHA1
b28bf093b8030c9f37c94f7b2c17e4451312a031

SHA256
65c20a747dc3cd63e7f2fc629aeb1258e4b2828e9b85eb85f70ce500c8f137b4

SHA512
005b8fa6cca8720bbbfd67b176f031d7dde7475503eaa9017a72d234724e146257ae16b7f9ba73a43a7bfd51f09b43fcd0e08db9654027686109689502840073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
23KB

MD5
e4b0d20f483b4c24ecffd4678479e3ae

SHA1
f0f3175f2c92922d123eac1e3a4c5bc8f6091b49

SHA256
ab25f94f51f31d69f3a7ff1959eafe9ddf3fad8e983fa216c91795bae573e13a

SHA512
54dda1d96956961788768dd0d5cb0ef9f660898b3b4fd1f6c02d5b092fe3629cb38f478e5e2fa5b074963616e63a235593a2de9e3fb420b502b40ded7430a715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
44KB

MD5
28d6deba0823880f8331bd4695469645

SHA1
a9fb38e13eddaed233b777f4db8efb4762c215a2

SHA256
2897ce935bf259f030e1c67dc25840da8793d4b58bc5fc8d5450525490d62590

SHA512
05261445ce6c11d1cf49716c0a2c6c2abbc930af4b7c817d36afa7819446f7e40f740a31b8e9734a5f68a0b140f2424db8779f27bae349a429002bdb30c79e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
42KB

MD5
07c9db325534c6ca53596f5031c81dce

SHA1
391f7e3c06683ed34c0e1c581d71d8f566524980

SHA256
59c1e0cc47656932b5a9371c73825c8486923a70155199c7b1bc3fce2858a235

SHA512
389cc8fb07c9bb639e9809800b085eebb098663513027cc76ac8790002fe40d7246e1e2a25431f750e27a2c5a84a4ca5e6b403aea756115de69fc48ccce27a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
29KB

MD5
9b5ef1b7cf19dbdc075f6929ee5b0898

SHA1
51411b7d1982526e2e41081b41a2304170c76d20

SHA256
6848ca275152cb21d5f7f9ef6f617fb5ffb3b1cb6431723b905a2463aac6dec5

SHA512
0fa09f07ae2e213174663621546c8645082e95844d613e42c35e97edc839d3ff6dd5cf630a17c5827900fcd034a85ee20cca1fabf14fd1071730cdabb1085cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
25KB

MD5
4e0c9c19969b8ec8a77470ae016ee6db

SHA1
e3870397f0222a556e170b9c2d03ad7d182153a1

SHA256
cdf76cc2e73b4db9c2a1fac425aca31c42f4fdad95ab29c00cd3522f62f85bbc

SHA512
f27f44d3a650f2b0e99ab667da70296dc596c496075ad1b36038433aa958fc51045ff3406bf677ba05b119de4fd82ee59e315d02dfbebd9eec473e62828f5e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
40KB

MD5
7543896374d8cc335bfcdd19e7c6fc56

SHA1
ea52998d70a72b4b2ea3328f401c5f8cab6f5065

SHA256
30a758213307cded176c3ef927a863a8eafc7779fffdb280fc953c922fa9b8de

SHA512
8da44149ba0c65b021595eb4715c0fd11aa660691794b410fc859c3d8fc4e0e770a20dcdca971630fb0e6a76bb430d7340dd5b09aa8203d94b99bed18716e9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
59KB

MD5
7fd069146ea79b16633bc8b45f90482a

SHA1
98dfafac54f6f5db51e3baea698208833ed1b642

SHA256
a746ba588555b584fe98e42ac1a2dfbb92c2831b54c263f51fe91d124b9214d7

SHA512
c31822f497ebb35a5da455e77965f16a83e2007215ae88e64bc21019d8d45fff4671ab4300d9cf518bd2b652d071cc582fdfb99b4807c75e2022755e6c60a06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
61KB

MD5
6192162ea19de1d7bf3e25cafa0b8d2a

SHA1
9057b0fbf664332e54800fc7e8a901790b1b0d24

SHA256
c8519b3f8c3dc89096e1aeedc26bbf94568540be1701d9c2113108ec7ebf5626

SHA512
8467d9e9c2277f44d28801ed443555537596235104ea738026dc3f84cdf7bdee7a7abe9dc563192957defd8f877fccb7a8080f951ad30528ef59a2ef50313373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
63KB

MD5
dda98969b754c97402bde584d0ab4336

SHA1
f5240ee0f6a47136e14ddcf5d9950b7435e8071c

SHA256
a86815a08864c48755da17ee790cfdf6f79bf33b39dd9a88ea9049926a462b49

SHA512
748b0addd57fbfada49f6da4b81567fbe0929a5c7baaad160e4f725f47eb6a330c6aab22e2fdc89ca079e38b2c0037728a9b0405be0fab47e8f272a7d8b26a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
85KB

MD5
d4a9bb7e8de8f088750f8da0db9ddee2

SHA1
d66ee47dab71c9574724661c929edc45bee2f21a

SHA256
0e10069fab6bb3083dba1b56b844c6682e9092ddd9d7932f78aeb902c14a712c

SHA512
d351afa877d7abb9152631d5aa897718b9ad10a87bbada7852891a814ff95a6acc961f81641640ee061f7207df0742b5e5ed3d833fea0a1ffb5e0aa219686c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
efd99f6b50b61e6bc88ab81db271f5dc

SHA1
13a91d8c6aae48306779d950cd3da773bac54a04

SHA256
3eb3416904e2d4354a4760874b015d4b7ad0f4f231889eb2e80a7c2ba79c22b9

SHA512
3532987383c85b0cb80ada4314a3fd155cfb78d23470aa7ea43c40342d48982bb8b3824b65c05fe496662e433ce65598cc902cc9e51d6a32802709683221e160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
22KB

MD5
ad42f23ab734487e0dc501d211e5d5c5

SHA1
5ea444575d64b52e74efbb6c547ca0d9224f3f8a

SHA256
7ec46a487fcd85d3ce2e5c9a351fb039e253e66141ac38fc3ec339ff8c2f7e79

SHA512
1a9093f90346c069f478f87d8408ca76adeb641750292eb11cfd74f7e3fc65d3112983a4bbc14ae5098a39c5b037e9539fc0c3e32c78a78594db61755ca289bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
30KB

MD5
6fd1421c547715cb7b78ca67104bfb78

SHA1
cc7f1d6761d9c7256745ef7586ad53e3183f0e2f

SHA256
57b9a684f743cf229723c1a5e9936d930cf48c3b5056c16c09cdd71ee6fe803d

SHA512
f64899cf62a1696adbf62f597f69c3a1ddd62319071f9a87076977b9f6c80992b333223a07cc1645a2fd578306e30abae12e18afc41cd582ee9717ebcb423a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
21KB

MD5
dc22ef21d3563a9f24a2acd88c9504b8

SHA1
2111670236fa4af9f35b0cfd825f97c7c5dd7a96

SHA256
61f3a10d4e6bd457dd987b6131a83cc4f4bd1820b505a2752b26d2c5e56a4d61

SHA512
77e33b95f1c4c7a3f3e962eca45c493fb339291877a6436f31e58fa9ad90c3128526eaf69733f7705610a16944128a100cb29943d578e67c9ba47b4b08b4abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
101KB

MD5
01ae9a6deda41e2697d7a7ef1eab3deb

SHA1
ac05f371737893353c57846ec8df3914c9b29da5

SHA256
6d1c1b9d6956b68632dabd70057c91185dfa8f170860cd9358d8494bef5ddc31

SHA512
aed29e3d8d3cdf66c133529cac8faf2379b99e045bd47ea8f2e258dcb900371f3a4119d28eb4c7ad605ee000f248409d363f9b0a61da090494297f12aaca4d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
16KB

MD5
3d0489ff67454784ebf2d68b7db1cab3

SHA1
dddea62b3895ba3e0c7efedd70171acfe0d407e5

SHA256
74dcb0c9d7a636705d1b2d2423250c77f14a64e50217bc44c7f5d5b3aa81b186

SHA512
872360126efdf233fb3c17e79779077411e26d00b1e48efd6f911298c364454b4f951570b87791d42c7af9725fa23fc7f5f8f37bc8915489d125a7828b11f730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
20KB

MD5
d566cd4779498afc84defa6c5b79369c

SHA1
34cfd428521d0bdab7fa84b9bbe9a74a638b0226

SHA256
18f8604ec9293348adfeedce17ea01ea2223d9b24e18f2926e434eae786813f4

SHA512
423d928ecde9334f5531a451c9c715b5dcc655c12690c495e9fac34e3c372cafc25e6a8662cbad90432bacc6c64ebd94d9195b37281da2a9a0ccc915739fe13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
75KB

MD5
15a2f0d9497bdefec193f1951b076696

SHA1
b673c0729fa90d589261edd38bcaa74439297cdf

SHA256
aad6b6bb918d96aa219dcb54ff8a8a9587a9abbe51b4ee131fdb1a82f028745b

SHA512
36cb398ffe146e46e57ba37a2ac92d03476ac0b0368c64ce0102ac3b9d6a484d5e4200c136db9e04f25b327641299457b8f9d140aba6bef6a9fdc04313415e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
37KB

MD5
245c77932466cb3b7c386134b457155b

SHA1
794fc843814eff6cc2b1afd192694249f1469628

SHA256
38cdb54decd98917d67516b410ad4bc1931dc6b3a7ccfbc243c5856159422238

SHA512
c03166f748f2f52eae43665be3a1d211f3b5a8658bca9c595f2c6d3405ccca33c0ad74fdadf982236018ebe6e59dd11269d89916934c0f6c79c3b9e306766a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
73KB

MD5
78d435adf2ae98d72a780707cb5de82a

SHA1
2989eeb1a414a0eee3d54ed6113f96fb4079bf7a

SHA256
ee811bcd9a0ef21a1961df01082a5cdd1d9725192cd6734a6c9654cac09f09b2

SHA512
bc50afc5d00562c643fcb4208938e5a98292a7c174d147ccafd6dd2059a085e88298356b73892d1348192afcff7bc61a1f3ccaa3a0c7da1eb6c5b207120fecf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
76KB

MD5
94c1e5d424a00fc27fa9074d55a5fbae

SHA1
67c24a8b8f0e341b45dd86185e10939e11008205

SHA256
1eaa371e337ddf806a47868cf5beaec9c3f6cfe5bc2c355be810541ee75db520

SHA512
05879330856fb5b997c2f47f05e3eb36c826f94faa2e891bf28594f073e4356528a90c63dc0ef5f35292e4c4be9dfa32198fb89e9abfcb18e2ab29dc770d0cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
83KB

MD5
c05feb0c3c0a0c27fe68c703fa02ea1f

SHA1
8b29318dbbccb05063c8f54110b2f8a3ec19b12f

SHA256
01c37938dd9717147632d9b77cd6ae6c529d9802d690299bb6feac683bee754b

SHA512
8af804b588bd9e251304dc919e51d610335d4b9bee5920fa5603f498076fb4817f7411c071001fe7c5ebe05662b453257edf590ed99b1fb761bcf013a8809052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
43KB

MD5
66d562e3299ee732a53db150038c026e

SHA1
f514a9e346cd443d196c1bc401f078a9fa147323

SHA256
252d971616775193836fe6c0c057edc13c511ed2bdbdb61fbe3c4567a3a8e530

SHA512
ee24be2709cb98ccbde710654eb1ba533e432819caa8c6bf1fedfeceec452fa3c5f3b2402efc06e75d59e55b6e7beaa71f88bd049fad8e17449c0fde217a6468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
172KB

MD5
6625236ef7b43cdeaffdbe69d99ef190

SHA1
ab5d5935735c23521893cb341dda95eb4180f293

SHA256
9592d065d3463d39a2056e766c378ad53938d02fbfaddb7545065c5e9474e447

SHA512
422619d41e5245b6b55e4afd20a9a600b0fdf627fa5b789ba80a54261eb030fb8df4ce35a688127f545e70a955653476284a597ee4f58eb35e66899152d7ef4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
42KB

MD5
6eafc48312528e2515d622428b6b95cc

SHA1
8c21c748004366757a93c587668ab55cb6a4bdf0

SHA256
dee6942321440ad24c989d45fd96bf0c0c11e63e04357af2128118eb75eb887b

SHA512
c501160df9b93014d510cd22060704b434fac4c6ba242d3e625e1bb6e838aca31889197e74fd4d082f4333147ec18197b2a31619d55d37c9157ec275621ee64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
42KB

MD5
3c102ace52ea35b16da4383819acfa38

SHA1
91a9953eeaf4ed11a424ea57bd3c2dfaa686c948

SHA256
eb447eecadbf640fa5e062754192cd7c2b60b4d37c621320ca3eb7ab25b0c3ca

SHA512
1fc15585854512f6b5652719b8443c3e421eb88699035f18a6e13de5528b72d858e5bde40b9c2863effb3c9cd570197fc718d0c2a61b334ef5133efabd050a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
31KB

MD5
5be09c7c686dbba1984fc1a2bacb772c

SHA1
b0626f753ce1f18bd01b5c29d86af92a7152e07f

SHA256
c85491a931fe791cd1b23d54b42bd7abec503842ed5cb76420ab365c4ff45b4a

SHA512
2fb59449fa9a0334e85c0342352037a60378e484ad0e0cc417b9559fa8ef7ac81c972a50dff01d177db0875bf244b3ba90bda0565e269be8e745aa7470e223b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
57KB

MD5
c37a5314ba360c995451518527cf293c

SHA1
22d1c9ce7d909b3ff70f6ec0c8bcbf999015ba11

SHA256
65beb8051538d1938ec9af6e82affd097e681aca80afcc3893fc7d1081fa23b3

SHA512
51c80c33f1b1756ea187827ef20cc4ba1917a7727759adcb23daff5585ba5e2fce7d98162ce0659ff50fa556e8b0c8d58ad7143e93f74808d6c287b25b2ed3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
41KB

MD5
38e00f7de6f417aa3a458560a15e2b8a

SHA1
b451a3a2ab0b04170804d6cf823c6465f33f6f44

SHA256
cafe3fe334035fb21ebef6484cfbe1efa85c46f02113c57f8047c875fb9928c5

SHA512
659f0a9a53e98b2e5dd3256c55b96e5cff82f6b323edd5f92f8eb9897e1376329454734c6c799963ae392833d948eac84fb9b483a5a099c9ab942990a18e7f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
702d1d645c165941a029547101b269a3

SHA1
863877028d71cfe1e0e94ecd6379f24d14cfc301

SHA256
a63da647ca7013d2cbbba9e219c38a45f36b98083b78a691a6917688a7c7cf61

SHA512
1948cc31a49b08736ebf4e85f952f7be704c0eae6c889903f3de6e6accec54e673fd9e2d0a6e0fa725a5cb5c30bee405167eabb3859a1515a40c89b6aef1570d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d09857b21f772d3d9e8b4fbdb31fa7e1

SHA1
5ad30399d6383e56187595b321913221c9f1a25f

SHA256
7437d917cd8d9b16def8102c30ea76a288d14fbfe6b76e3d163b944f3db8093d

SHA512
4dbf9db277ae3cb23d2efece68c0bd94a081114b99716149a454b92d7b5217d01738a726e39cf96e1d172938f6b743cb1f8d20ee33f2e2c880355cad6b31ba9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
510192d7aeb5883d6984f7c4c8eb3f79

SHA1
0e3155b7eede41b898a07ea9a475603ac644d01f

SHA256
14dee789e51ac23f35aa24fd2085c248ecf8f5a39c9ebb3b92cf3ba119e57dad

SHA512
6293d4b2efa4953841ac478bdebe2a546ba04f8c4317c41a0fb62b81ec755ccf4e23f2b2aad7bba175fb51f90105bc6d1bfdc125b971b6078198b2a49f616a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5cba7e.TMP

Filesize
89B

MD5
43cd2c9a1bff4ae713c96378e544d675

SHA1
7c4e6e501d3c2aca89f3d2854cf2bd5d194a85ac

SHA256
1822f7c9ae617b8cd5914ac3c5332ac80cd3ef94c9b266e71f2cc88b5f776868

SHA512
b8a6b092f81192db16764cc402632ffed32ea0bd31f4d0cec12ba9733143cd416e42aa75dfaff16e8f342e6e978263033e3ab43c17742c1bf077a3b50caeec3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
61bd8d037903dbc17951ae0f4d347710

SHA1
6eb9fb3769b43f0948d533266aad500f8f423a6d

SHA256
92ec0ca97da4a5ffe904336310e9e8768c656ba2f8a073e5ef3f81e66e87545b

SHA512
dcbb35dc0605123fd6c4e543055a8e54ce924afc872e180d5c3228608c950bc2c2f4b7059e5911fbfdcc39b97b8e3b63d37620f256828a89759ae1c586a01e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3eb9f3584c24bffe62c4b300c3a5de3d

SHA1
0de2fed3ed06a6ae8dc0800aabca935f91c2013a

SHA256
7637310c3fbfca2ec5ed37d85ed634b870790d799f8b0374256bf4144c6abc8e

SHA512
32d045bbe658c5acf282e362af1220c77be12437b694dc632990a0ed725cb8a6f42cb4aef2d91f236d5cd495234b73e2b41bd146c0f6a040c972acad4439b7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c4a9d.TMP

Filesize
3KB

MD5
f6e883743e8956c3831f4b32dd9f592b

SHA1
60fbfe1785494626f35ae39d333f90ab12f5d069

SHA256
5e0257ed064e5e2823eae1f8a517e456e0f6466b598398a9bb06e0732f420666

SHA512
f29f6faa6271bd7b5029dc6f85689d3b2f78239c6cb597707592bb4028026a75e98d0b19779fa782dc77e4f4adc6fcc849927926078b1ea1405e0112c409fd68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff378bcc3e63661fc632e56fd980fd29

SHA1
b5d83b0cdee5bcaac157d2b5478062a264e0116e

SHA256
e8ed098f59ca427ec57b0df571f5124410827748785c1f72650b40c2af06f391

SHA512
ef7381ecedb1aab458335fc686d5baebda99447791fc4428be570e6ebffd8952f3dc1e76f570699f71bbd62367684a1661bd7a5f1a8e376b4a103b68404737fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5VRLB1M0\microsoft.windows[1].xml

Filesize
97B

MD5
08e988cf9ba89661e30c9a88dcfd71d1

SHA1
c1c01b45f5ed8e34ed4f7fb2dd84d176d328a316

SHA256
dc2f4f6093e2f6f32a6ea7290d3350c88a6cac8d2d4de273cb3df33c92bbf340

SHA512
aed76e36773a8bce64cdf11a53b4d0709a095cc4865e2288ebe3aa4af27070c10041d07de52a920a74a6fb5bb8b3b2b6f483d96529c0409cc70bf5a95673e6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5VRLB1M0\microsoft.windows[1].xml

Filesize
97B

MD5
08e988cf9ba89661e30c9a88dcfd71d1

SHA1
c1c01b45f5ed8e34ed4f7fb2dd84d176d328a316

SHA256
dc2f4f6093e2f6f32a6ea7290d3350c88a6cac8d2d4de273cb3df33c92bbf340

SHA512
aed76e36773a8bce64cdf11a53b4d0709a095cc4865e2288ebe3aa4af27070c10041d07de52a920a74a6fb5bb8b3b2b6f483d96529c0409cc70bf5a95673e6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5VRLB1M0\microsoft.windows[1].xml

Filesize
97B

MD5
08e988cf9ba89661e30c9a88dcfd71d1

SHA1
c1c01b45f5ed8e34ed4f7fb2dd84d176d328a316

SHA256
dc2f4f6093e2f6f32a6ea7290d3350c88a6cac8d2d4de273cb3df33c92bbf340

SHA512
aed76e36773a8bce64cdf11a53b4d0709a095cc4865e2288ebe3aa4af27070c10041d07de52a920a74a6fb5bb8b3b2b6f483d96529c0409cc70bf5a95673e6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5VRLB1M0\microsoft.windows[1].xml

Filesize
97B

MD5
08e988cf9ba89661e30c9a88dcfd71d1

SHA1
c1c01b45f5ed8e34ed4f7fb2dd84d176d328a316

SHA256
dc2f4f6093e2f6f32a6ea7290d3350c88a6cac8d2d4de273cb3df33c92bbf340

SHA512
aed76e36773a8bce64cdf11a53b4d0709a095cc4865e2288ebe3aa4af27070c10041d07de52a920a74a6fb5bb8b3b2b6f483d96529c0409cc70bf5a95673e6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3ol2t4k.jol.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\Equil.exe

Filesize
315KB

MD5
1072ebb6213cc03ac9e95ba8d9e64e0d

SHA1
9f55afff7552396fb06ef40b20a0758a1696e24a

SHA256
9bb70607d34ec9888aeda348c1dfa7984d5365586115e0fa6bd0fbf221f6d48b

SHA512
6cdc9c53ae2d5195a94338e470ad670dbbc0f65254bc4ab16c21bf4d15ff94c6760de807341ade5c651f1c87a429fea80aab57f72afa5d3ab285102385b72001

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\Equil.exe

Filesize
315KB

MD5
1072ebb6213cc03ac9e95ba8d9e64e0d

SHA1
9f55afff7552396fb06ef40b20a0758a1696e24a

SHA256
9bb70607d34ec9888aeda348c1dfa7984d5365586115e0fa6bd0fbf221f6d48b

SHA512
6cdc9c53ae2d5195a94338e470ad670dbbc0f65254bc4ab16c21bf4d15ff94c6760de807341ade5c651f1c87a429fea80aab57f72afa5d3ab285102385b72001

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\MSVCP140D.dll

Filesize
899KB

MD5
65b580c9a8174fc67e1b1af0a2a715d3

SHA1
8cd8ea9c8da94c6dc559c7f63606fbf0fc4ea47a

SHA256
c722452e02d2ff3362c8fc948566ba9cafd7f069688ede9a47f5307b19f09d59

SHA512
e3eba5caf4c1d86b7b270d1b10ac52c68d53c8c688cb226b9b27afaf4f3685f50396a6524b9d842657e479d88af2d6f65ceb5b42eeceeffbb353a4cf840f5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\VCRUNTIME140D.dll

Filesize
162KB

MD5
54132dd5c5c2bb30c5118164b495529c

SHA1
b491106d246200463f58a3f2211fb51a34cb1b0e

SHA256
b7580fd2d2a607463a1f833f64c3dd599165172c921bf1e5b17927269b3e1b16

SHA512
aa701faf468b282f834fd6a0a06f5310075aabc891c3165f740a4a9ed047aa6cb3dd5c32ccd9504f52b45b06670685ec5cbd7271c46b149e18229141cf75837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\VCRUNTIME140_1D.dll

Filesize
52KB

MD5
af2ff5d5a619fe0ad4f08641ca500b03

SHA1
37717918f9c76b7a4df16923c14a57f66a244ed6

SHA256
ad5303adfe2db81f00bbfafe76205522005976e11148c8e91cab7d6cebc84942

SHA512
0c12d0dea9c60712e5a1f866b04c5c877ac7866b7a7a5793ea18784aa84985c5c506c95fe8e2cf57d2801a926433fa0c6e3466cd77d6bb0ee69496bfc9710cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\msvcp140d.dll

Filesize
899KB

MD5
65b580c9a8174fc67e1b1af0a2a715d3

SHA1
8cd8ea9c8da94c6dc559c7f63606fbf0fc4ea47a

SHA256
c722452e02d2ff3362c8fc948566ba9cafd7f069688ede9a47f5307b19f09d59

SHA512
e3eba5caf4c1d86b7b270d1b10ac52c68d53c8c688cb226b9b27afaf4f3685f50396a6524b9d842657e479d88af2d6f65ceb5b42eeceeffbb353a4cf840f5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\msvcp140d.dll

Filesize
899KB

MD5
65b580c9a8174fc67e1b1af0a2a715d3

SHA1
8cd8ea9c8da94c6dc559c7f63606fbf0fc4ea47a

SHA256
c722452e02d2ff3362c8fc948566ba9cafd7f069688ede9a47f5307b19f09d59

SHA512
e3eba5caf4c1d86b7b270d1b10ac52c68d53c8c688cb226b9b27afaf4f3685f50396a6524b9d842657e479d88af2d6f65ceb5b42eeceeffbb353a4cf840f5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\stupidthing200.exe

Filesize
305KB

MD5
d0428771b2ed046406580f84959c43a5

SHA1
99c42e765225bace02653b8bf9a75e21cf66e0b3

SHA256
ed0c7e37f3992c80fb00180ad9bf9250e014d1f00ba090a2a41847aaa716dba0

SHA512
9d72c884e66bdadb939dd594b730c88ef97e5785c11e0db4f3ca5331145a8c653940cb1f9b4562313fb3f3597e0efd560cb828845273bbe6620d583c87433a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\stupidthing200.exe

Filesize
305KB

MD5
d0428771b2ed046406580f84959c43a5

SHA1
99c42e765225bace02653b8bf9a75e21cf66e0b3

SHA256
ed0c7e37f3992c80fb00180ad9bf9250e014d1f00ba090a2a41847aaa716dba0

SHA512
9d72c884e66bdadb939dd594b730c88ef97e5785c11e0db4f3ca5331145a8c653940cb1f9b4562313fb3f3597e0efd560cb828845273bbe6620d583c87433a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140_1d.dll

Filesize
52KB

MD5
af2ff5d5a619fe0ad4f08641ca500b03

SHA1
37717918f9c76b7a4df16923c14a57f66a244ed6

SHA256
ad5303adfe2db81f00bbfafe76205522005976e11148c8e91cab7d6cebc84942

SHA512
0c12d0dea9c60712e5a1f866b04c5c877ac7866b7a7a5793ea18784aa84985c5c506c95fe8e2cf57d2801a926433fa0c6e3466cd77d6bb0ee69496bfc9710cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140_1d.dll

Filesize
52KB

MD5
af2ff5d5a619fe0ad4f08641ca500b03

SHA1
37717918f9c76b7a4df16923c14a57f66a244ed6

SHA256
ad5303adfe2db81f00bbfafe76205522005976e11148c8e91cab7d6cebc84942

SHA512
0c12d0dea9c60712e5a1f866b04c5c877ac7866b7a7a5793ea18784aa84985c5c506c95fe8e2cf57d2801a926433fa0c6e3466cd77d6bb0ee69496bfc9710cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140_1d.dll

Filesize
52KB

MD5
af2ff5d5a619fe0ad4f08641ca500b03

SHA1
37717918f9c76b7a4df16923c14a57f66a244ed6

SHA256
ad5303adfe2db81f00bbfafe76205522005976e11148c8e91cab7d6cebc84942

SHA512
0c12d0dea9c60712e5a1f866b04c5c877ac7866b7a7a5793ea18784aa84985c5c506c95fe8e2cf57d2801a926433fa0c6e3466cd77d6bb0ee69496bfc9710cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140d.dll

Filesize
162KB

MD5
54132dd5c5c2bb30c5118164b495529c

SHA1
b491106d246200463f58a3f2211fb51a34cb1b0e

SHA256
b7580fd2d2a607463a1f833f64c3dd599165172c921bf1e5b17927269b3e1b16

SHA512
aa701faf468b282f834fd6a0a06f5310075aabc891c3165f740a4a9ed047aa6cb3dd5c32ccd9504f52b45b06670685ec5cbd7271c46b149e18229141cf75837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140d.dll

Filesize
162KB

MD5
54132dd5c5c2bb30c5118164b495529c

SHA1
b491106d246200463f58a3f2211fb51a34cb1b0e

SHA256
b7580fd2d2a607463a1f833f64c3dd599165172c921bf1e5b17927269b3e1b16

SHA512
aa701faf468b282f834fd6a0a06f5310075aabc891c3165f740a4a9ed047aa6cb3dd5c32ccd9504f52b45b06670685ec5cbd7271c46b149e18229141cf75837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cibfts\equil\vcruntime140d.dll

Filesize
162KB

MD5
54132dd5c5c2bb30c5118164b495529c

SHA1
b491106d246200463f58a3f2211fb51a34cb1b0e

SHA256
b7580fd2d2a607463a1f833f64c3dd599165172c921bf1e5b17927269b3e1b16

SHA512
aa701faf468b282f834fd6a0a06f5310075aabc891c3165f740a4a9ed047aa6cb3dd5c32ccd9504f52b45b06670685ec5cbd7271c46b149e18229141cf75837f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
aa83559aa151d17d84c58944223a9107

SHA1
43fc67b735968af1e07ce4c16160c54ebee1f682

SHA256
40a9aa93a4f4ef5b57334f69e3ee2e68a40d9a15a825fb3ca2c25a5c567a74ef

SHA512
9791372af492ad27580079ca5859f26da145e79e4682f8797a0b79c177ee673974164aac54e4b4d3445e02e64a02ee42972a88221afc4d7ca76a8f65d495fdab

Download Submit
memory/2516-48-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/2836-353-0x00007FF6D02A0000-0x00007FF6D030A000-memory.dmp

Filesize
424KB

Download
memory/2836-27-0x00007FF6D02A0000-0x00007FF6D030A000-memory.dmp

Filesize
424KB

Download
memory/3780-56-0x0000015423C00000-0x0000015423C20000-memory.dmp

Filesize
128KB

Download
memory/3780-54-0x0000015423C40000-0x0000015423C60000-memory.dmp

Filesize
128KB

Download
memory/3780-62-0x0000015424010000-0x0000015424030000-memory.dmp

Filesize
128KB

Download
memory/4696-40-0x000001B9A0800000-0x000001B9A080E000-memory.dmp

Filesize
56KB

Download
memory/4696-586-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-35-0x000001B984570000-0x000001B9845A8000-memory.dmp

Filesize
224KB

Download
memory/4696-36-0x00007FFB3A500000-0x00007FFB3AFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-37-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-38-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-39-0x000001B9A0B40000-0x000001B9A0B8A000-memory.dmp

Filesize
296KB

Download
memory/4696-41-0x000001B9A0B90000-0x000001B9A0BC8000-memory.dmp

Filesize
224KB

Download
memory/4696-526-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-483-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-393-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-382-0x00007FFB3A500000-0x00007FFB3AFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-64-0x000001B9A0B00000-0x000001B9A0B08000-memory.dmp

Filesize
32KB

Download
memory/4696-79-0x000001B986280000-0x000001B986290000-memory.dmp

Filesize
64KB

Download
memory/4696-78-0x000001B9A0ED0000-0x000001B9A0EF2000-memory.dmp

Filesize
136KB

Download
memory/4696-86-0x000001B9A0DF0000-0x000001B9A0DF8000-memory.dmp

Filesize
32KB

Download
memory/4696-87-0x000001B9A0E00000-0x000001B9A0E08000-memory.dmp

Filesize
32KB

Download
memory/4848-342-0x000002CD27920000-0x000002CD27940000-memory.dmp

Filesize
128KB

Download
memory/4848-345-0x000002CD275E0000-0x000002CD27600000-memory.dmp

Filesize
128KB

Download
memory/4848-349-0x000002CD27D00000-0x000002CD27D20000-memory.dmp

Filesize
128KB

Download
memory/5292-15-0x00007FF7DA120000-0x00007FF7DA187000-memory.dmp

Filesize
412KB

Download
memory/5292-34-0x00007FF7DA120000-0x00007FF7DA187000-memory.dmp

Filesize
412KB

Download
memory/6736-637-0x00000215BB170000-0x00000215BB190000-memory.dmp

Filesize
128KB

Download
memory/6736-632-0x00000215BADA0000-0x00000215BADC0000-memory.dmp

Filesize
128KB

Download
memory/6736-635-0x00000215BAD60000-0x00000215BAD80000-memory.dmp

Filesize
128KB

Download
memory/6784-536-0x00000185F8430000-0x00000185F8450000-memory.dmp

Filesize
128KB

Download
memory/6784-533-0x00000185F8470000-0x00000185F8490000-memory.dmp

Filesize
128KB

Download
memory/6784-549-0x00000185F8880000-0x00000185F88A0000-memory.dmp

Filesize
128KB

Download
memory/6832-1021-0x000001D172840000-0x000001D172860000-memory.dmp

Filesize
128KB

Download
memory/6832-1023-0x000001D172C50000-0x000001D172C70000-memory.dmp

Filesize
128KB

Download
memory/6832-1018-0x000001D172880000-0x000001D1728A0000-memory.dmp

Filesize
128KB

Download
memory/6964-784-0x0000024F38A60000-0x0000024F38A80000-memory.dmp

Filesize
128KB

Download
memory/6964-779-0x0000024F38690000-0x0000024F386B0000-memory.dmp

Filesize
128KB

Download
memory/6964-782-0x0000024F38650000-0x0000024F38670000-memory.dmp

Filesize
128KB

Download