024c7f8f739719416da7855a5e06c5579febf49b7d29f108b11e0460992ba9fc

Analysis

max time kernel
128s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
Size

319KB
MD5

2c3fc297f50b1f8a7bddc8921c8d2ed8
SHA1

5739bce3ff55026d3e000a2fc6f1bf19f2a9228c
SHA256

024c7f8f739719416da7855a5e06c5579febf49b7d29f108b11e0460992ba9fc
SHA512

69dde3a20700a172704a8fb8ee8483b1972b5ea36acfe3bf1b1d363cecdf72ad46793569812d5c950d161b76cfc6a5d1254c90ae00c73fc8723e590c3ca1e7ae
SSDEEP

3072:MEsmQEsmQEsmQEsmQEsmQEsmQEsmQEsmQEsmfQqy:MZZZZZZZZZZZZZZZZZr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe

Executes dropped EXE 1 IoCs

pid	Process
984	exc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\credprovs.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\fveapi.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100fra.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120ita.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceTypes.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\RunLegacyCPLElevated.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\sppcext.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\cfgbkend.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\iertutil.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\joinproviderol.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\msidntld.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ndproxystub.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\systemcpl.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\coloradapterclient.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\credprovslegacy.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\format.com	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\policymanager.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\SyncSettings.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\agentactivationruntimestarter.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\KBDKOR.DLL	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\BCP47Langs.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\ir50_32.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\locale.nls	exc.exe
File created	C:\WINDOWS\SysWOW64\srmshell.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDHE319.DLL	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm120.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\BackgroundMediaPolicy.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\dhcpsapi.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDKAZ.DLL	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\mciwave.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\objsel.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\BackgroundMediaPolicy.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\eapp3hst.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\edputil.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\logagent.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\mciqtz32.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\pots.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\dmintf.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\KBDAL.DLL	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\SysWOW64\atl110.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\DolbyDecMFT.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\MosHostClient.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\nlhtml.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceConnectApi.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\CallButtons.ProxyStub.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDHEB.DLL	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\mlang.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\netevent.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\chcp.com	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\csrr.rs	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDOGHAM.DLL	exc.exe
File created	C:\WINDOWS\SysWOW64\SimAuth.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ir32_32original.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\kernel.appcore.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140chs.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\NcdProp.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\sfc.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\mferror.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\netjoin.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceConnectApi.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\agentactivationruntimestarter.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\directmanipulation.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\SysWOW64\fdProxy.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\fsutilext.dll	exc.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysmonDrv.sys	exc.exe
File created	C:\WINDOWS\HelpPane.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\hh.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\mib.bin	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\PFRO.log	exc.exe
File created	C:\WINDOWS\sysmon.exe	exc.exe
File created	C:\WINDOWS\write.exe	exc.exe
File created	C:\WINDOWS\hh.exe	exc.exe
File opened for modification	C:\WINDOWS\lsasetup.log	exc.exe
File opened for modification	C:\WINDOWS\lsasetup.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\notepad.exe	exc.exe
File opened for modification	C:\WINDOWS\Professional.xml	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	exc.exe
File opened for modification	C:\WINDOWS\win.ini	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\win.ini	exc.exe
File created	C:\WINDOWS\bfsvc.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\HelpPane.exe	exc.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	exc.exe
File created	C:\WINDOWS\winhlp32.exe	exc.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\system.ini	exc.exe
File created	C:\WINDOWS\winhlp32.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\explorer.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\Professional.xml	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\setuperr.log	exc.exe
File opened for modification	C:\WINDOWS\system.ini	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\twain_32.dll	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\twain_32.dll	exc.exe
File created	C:\WINDOWS\explorer.exe	exc.exe
File created	C:\WINDOWS\mib.bin	exc.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	exc.exe
File opened for modification	C:\WINDOWS\PFRO.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\setuperr.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\splwow64.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\splwow64.exe	exc.exe
File created	C:\WINDOWS\sysmon.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\bfsvc.exe	exc.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\WMSysPr9.prx	exc.exe
File created	C:\WINDOWS\write.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\WMSysPr9.prx	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File created	C:\WINDOWS\notepad.exe	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
File opened for modification	C:\WINDOWS\setupact.log	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3104	BackgroundTransferHost.exe
3104	BackgroundTransferHost.exe
2404	msedge.exe
2404	msedge.exe
1180	msedge.exe
1180	msedge.exe
3904	identity_helper.exe
3904	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 984	1972	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe	90
PID 1972 wrote to memory of 984	1972	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe	90
PID 1972 wrote to memory of 984	1972	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe	90
PID 984 wrote to memory of 904	984	exc.exe	108
PID 984 wrote to memory of 904	984	exc.exe	108
PID 1972 wrote to memory of 1180	1972	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe	107
PID 1972 wrote to memory of 1180	1972	2c3fc297f50b1f8a7bddc8921c8d2ed8.exe	107
PID 904 wrote to memory of 3760	904	msedge.exe	106
PID 904 wrote to memory of 3760	904	msedge.exe	106
PID 1180 wrote to memory of 1484	1180	msedge.exe	105
PID 1180 wrote to memory of 1484	1180	msedge.exe	105
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 1168	1180	msedge.exe	115
PID 1180 wrote to memory of 2404	1180	msedge.exe	114
PID 1180 wrote to memory of 2404	1180	msedge.exe	114
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111
PID 904 wrote to memory of 2236	904	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\2c3fc297f50b1f8a7bddc8921c8d2ed8.exe
"C:\Users\Admin\AppData\Local\Temp\2c3fc297f50b1f8a7bddc8921c8d2ed8.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972
- C:\exc.exe
  "C:\exc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,3960063327506891466,2899602299639805586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3960063327506891466,2899602299639805586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
      4⤵
      PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
    3⤵
    PID:5712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff91d0346f8,0x7ff91d034708,0x7ff91d034718
      4⤵
      PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:8
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
    3⤵
    PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
    3⤵
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1316 /prefetch:1
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7223250394813677454,1730605327227727677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
    3⤵
    PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91d0346f8,0x7ff91d034708,0x7ff91d034718
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91d0346f8,0x7ff91d034708,0x7ff91d034718
1⤵
PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91d0346f8,0x7ff91d034708,0x7ff91d034718
  2⤵
  PID:4576

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a6e5bd46d5bf5cf2f08b8713cdab53e

SHA1
d2d0b912734d691b4f7bee164aec5bc0067b160d

SHA256
e414e053711cea3ba0a3f8076d490fa89b67a9bf1bbb192873b7fbc07923f5de

SHA512
3166cde91b9ea84f59122bc119f99e235a8bc38eafc5aea51c6f5ad32d753cd0053f8a3968b6a24f3645956eb1e78dd67d920e43e4f60e80c5968aa074748168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be2bc3f563dfc588ce8164c30c06f2e7

SHA1
88e1bed7c02ccaa79e69d35127b129eaf338ca8e

SHA256
645112d7cb5653ba8a9972b14f69f5443b704b71be843c1d43e5b72c60c48b0f

SHA512
df76b39f66e7a95398de8208a16062aeb92c9cba033f6ba99cce306c860f80c72beb3b884b3e47c2d1496f674c5468d0f135dba65fba1c6b500f5f2fb2afc993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
35f77ec6332f541cd8469e0d77af0959

SHA1
abaec73284cee460025c6fcbe3b4d9b6c00f628c

SHA256
f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7

SHA512
e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d176a934dc4d0e91280635e3d9618417

SHA1
95c9337d5ae77d47ec90827a038b049cb5020214

SHA256
bf3c0596920257e222062f16794af943e81e152de1584e26b779405dff723467

SHA512
89b1d12146bdedb587833933c481560d92ee88c222a10aba1adb42134b17f079094fd1706f247bcb15bfbe3d1fb0cbea753bba0b6d322d3ed6c9ddde5dd520b4

Download Submit
C:\WINDOWS\DtcInstall.log

Filesize
57KB

MD5
13aa4cc039413e193c9c288c699ce3f7

SHA1
7daf80b0b12ae28cfb40fa0a2d09bf4268155ef3

SHA256
1d93f9cadbce9476fd38a70f2d171862e0dd07f459dd2b34ebd06f14e373c1f7

SHA512
f2ea3f550d502b8e18627a3615b1ba174c274bbb10cc9c70dd7ed6f35c41ea92ac8be7f4158ea5b7fe97f2803ae942be4ac28070ba355aa5e3454ec500c61aad

Download Submit
C:\WINDOWS\PFRO.log

Filesize
28KB

MD5
dba92a06bdb9c59a3d152d5ed88356cd

SHA1
04f293bd31bbc022753de72a70a412602e0cb6ab

SHA256
8e05712cc5ea7ba4a7384e3ff0b542d0d19458eed190f63de93b46a67e80083a

SHA512
16080da6d24579422e3b2eb031e70831436c17657c930a92cf1cd1dd3f090e0d5371ef87c439e3e28af486f40a5498ee1292ca5cef16a697ed0124da5d7829da

Download Submit
C:\WINDOWS\SysWOW64\atl100.dll

Filesize
162KB

MD5
cd1ab22ccb75f6c59f3a3b02c5aaeda5

SHA1
58edadb34f70e1ab1bdf4477a46fc908799be480

SHA256
19c3d85f46b64d2c38eef8afb99fbb64fa2eacb8f2f62e51f32701134f7f18f1

SHA512
8ef64f3852cf5687e99bb981bece2387f11af3d60a2d056c1a71365d64db9e055535eed60565887c82e0ec823cccaa4799233ac17b39070b647ecd8bb75e2eed

Download Submit
C:\WINDOWS\SysWOW64\atl110.dll

Filesize
188KB

MD5
4bff8fb7ea6caf7e5b66decfa2daf413

SHA1
93aaf0b12be08162dd6f42b57c0747f414e907eb

SHA256
fe8652d520cd34902af1c5fa6330498f87f105704ab1fb14467b9205cd1ae7ad

SHA512
8c23b75a53ed9f52c5795a45a42d1601e5688b3aa1049e9c40289c52a9f7e21be07c9d61c08902e0698b4418f3056fc269457fcf421712963191de4622622704

Download Submit
C:\WINDOWS\SysWOW64\mfc100.dll

Filesize
1024KB

MD5
64d32f7ab62f999b1da6c1959d2c0903

SHA1
5a2ecab1dbdb8f0144766358202f6af23be1437d

SHA256
5c3cf64d889c3fe06e894e5d2480342b4559a383f1d45010bb8e3fcfe8cd9e41

SHA512
8edde0584f7449a5a0ed527a18dbc67c67f4d3ba80578b430528f0a000420e35cfb2c8fd99a2320315fd491364f1a6037c86a716e633f8fe9720086225a70946

Download Submit
C:\WINDOWS\SysWOW64\mfc100chs.dll

Filesize
62KB

MD5
88b5886e2f0e5eb60dbb9548b377a0f1

SHA1
104a8601a76fbca94bb42232c238c59ba8ebef68

SHA256
9b0c5df25d5fb58489db513c36dd6bbe07ce3ec42ff4fb6c975c0dff08c69caf

SHA512
e6a16cd6908489135c523c3c141fb51cabfdb9bead392e06fd4de61e524799964ab718e692363a94b70f140e51cffbb355d096eb7299ac71aa0fc9518455a5ee

Download Submit
C:\WINDOWS\SysWOW64\mfc100cht.dll

Filesize
62KB

MD5
79310090ed0c3dba80dca048ff35f6ef

SHA1
9690f8af193442348df7d82b172236e5cf0bb8c2

SHA256
44705eed1a3967c66ddf50fd0e4226bc4cf26fb1ab34c2c0982933a4a1e246cc

SHA512
e7f2c7faf2abb9e722b6a07811c361dc3a5c9f8160fda08a4ef57bffb0ce9844ae852e8d9cc3edd7a7cf51c33aa1fbce011b26ba24a808a9fde177e3efd2d444

Download Submit
C:\WINDOWS\SysWOW64\mfc100enu.dll

Filesize
81KB

MD5
2d907badc4e2156c485e004f23716ae4

SHA1
313bf6523e0e5ea0e7d8fcc72194750a6f027ad6

SHA256
c56b186a2b7f75cd70be3f5419bd5592a99f10f5b9928698faeb97610a774c58

SHA512
91e497e035f3a89f8525235aa8461995e54be87a89c1721935956276dc2bc9125f1753f81885d5e974f840193c6c07095963f4b8e03e841dd8648cab825c22f5

Download Submit
C:\WINDOWS\SysWOW64\mfc100esn.dll

Filesize
89KB

MD5
b66e3040cdd4010aa6de09fbf8cb6d74

SHA1
35c7c6564859cd5ab432be4ea22064c570d62ad2

SHA256
ed4e717aa0243ccd3351d1985b8765783d92e729a86012a3216d7e12ec76c7ba

SHA512
b84575004574a9133bfbb9932190531babec261da3c9837301e96a93769041e66c97b5def67db9a9dfd871a9c0e4d62412a21fd6b505c2af1ba69844670110f8

Download Submit
C:\WINDOWS\SysWOW64\mfc100fra.dll

Filesize
90KB

MD5
f83624b2a064162aa5f28c9026e141dc

SHA1
c32482ecc7425b28e5f4fbee18b00081615c44d7

SHA256
a7ef264f8c5f3493eed94afc48cf1cd5af3c8c6e7a3babd1290d50666e2776c6

SHA512
d9b936afb111e5cfa92b742e99851a8125582595d0269bf748bcfdef618eae250661c35068b8a3dcb10e993082d82a8979737231efaeb4f7227878c37ac4d263

Download Submit
C:\WINDOWS\SysWOW64\mfc100ita.dll

Filesize
88KB

MD5
9c3c284dd79986a122ef04735953ceac

SHA1
b56dc4b14aafed791bdcf4bbf95db7364afd3618

SHA256
e001861bf5c08fe1e5040f4233664564d99daf60a4bb5fa7c1601ed6b15f0596

SHA512
3298d6d340fb1c69412f8257e36eee1f270c37fae029f1b6aa059cfd7c456790290211ca016d1c107e4a1b422c71f9d71fb082c782da974a878ddae6e6bcfc2e

Download Submit
C:\WINDOWS\SysmonDrv.sys

Filesize
221KB

MD5
b5495e1f1cc21d8caba794ce5652b5cb

SHA1
b87765e27d4b1a2d8a858723f3252e562588cfc3

SHA256
f0aa672945f2b6c40962832372bead890392ac79eee0d3d6df705944236462f8

SHA512
7cdded159b113bd05d808c304e09518856174a1dc37f7efedc22f34db82de40300025bfa527f4450db9e3c518cedfca1a94916df47e7d7f32a5d9750bd5e15b1

Download Submit
C:\WINDOWS\WindowsUpdate.log

Filesize
55KB

MD5
ef0b781ac569cb95a73d00668c3b7950

SHA1
586fe8522fecb76dd39289fbe864c6de9b554640

SHA256
c07d7bebc5ba2500e0a14505f9dc8499afb2432f70b74004cd71796ae08711ec

SHA512
6ed7b5ddec6909b7a67abf8aca01c30e15ce20f59d96bc533fcb9ecacd2ab1ffbea21c03811d774f8cd0f41373f999a0bf73072e44dbf4b7401a385c96abbb43

Download Submit
C:\WINDOWS\lsasetup.log

Filesize
28KB

MD5
39c7a770b31950aba1842913410a5f35

SHA1
68cfd50b25fde6fa344220b3beb8d511f58b13ff

SHA256
0297cdcff1c2951f028d748b74957c8d96a1e5d0276f1842ea1b0605aca24d47

SHA512
8d29c0f9d6ed410da5af73cb10a5e9b34cc35f9c2f263c99ac9b1574225d43ff695c57b08c8b8ede674ba11798617b511fdf0e118b5d2fbeeab35a40a70d3e70

Download Submit
C:\WINDOWS\setupact.log

Filesize
28KB

MD5
698cd7c401c8cac157bcbffc90a8b430

SHA1
6b4e62db7baafeb43dfec6ad49b228fddbd7ca9e

SHA256
df9851cffcb1389ffb554f6cfe03f809c4265175999e8966c62b329369c47cf6

SHA512
1d4b67b2310d6add2ef638d448fbb75e763fde1c2463faa7ffbc2828957926082d8b1a5eac4fe3047d97778f3bb908b4f07042e36341f66eb4c2af90a7f854af

Download Submit
C:\WINDOWS\setuperr.log

Filesize
55KB

MD5
0e6a47771bffe560f9a86968d23b0de3

SHA1
98d5e1df0faf2ee5637fe15a950668e6ddbf022b

SHA256
90546845ebc68f0a0eb8db42d802ae3c55191f5e7f613081c71f39aac2afebf4

SHA512
414f55ba856ebd9fc0f48da3c34897e46bbb552c5d2cdcede16b66f0936a8318c88855924cce21ac99df93c413bd9d636f6b30aeabba500672d2bdbd39d06c99

Download Submit
C:\WINDOWS\system.ini

Filesize
55KB

MD5
59ae5851ddc12529f79c20b3c3a744c1

SHA1
8c76cc3d73c6ca5239071833ebe2e2594e3436d2

SHA256
bf74b562885927701eb351d4610d3cd357685a55f9cd0a37b4b11a36a0f4992d

SHA512
83e4c6f5d22da5a5f2cc86c806db60488c29476f3cb0a9b3229c96608da0c28ae09e95f837fdb63e1fd63661a1b552da653525153682793dda64cfa22d33c8cf

Download Submit
C:\WINDOWS\win.ini

Filesize
55KB

MD5
248040b3324e54731e1539eb7ae0abc1

SHA1
b8c7ebe5d41c7900cbfc45dd02baa52a95f78b0e

SHA256
c1ab884e61da99b92cfd1784d6dd2267dfc1f641cb94809a2b8daebb0efe9ccb

SHA512
df4663c50625a6f79ceea7b3467609e4334b9b312a362fbab4347bfeb672b370823a54fef04680ccf532f952fd5fa84e5fb6945c9d9e76be7f9176396a2a7bfc

Download Submit
C:\exc.exe

Filesize
128KB

MD5
e2db45add9e5504c6d48c438355a9b1b

SHA1
2e99e5157f1d94635444624d2ad81725fce51aec

SHA256
a9c3bdd4c3e9fe56b861e75537c114be4ae8cbbaa81b7f9e33e5daf6124cc1cd

SHA512
7fb1611143d7b83c69b8a4d7aa35c3c9f92253a709022a741da6df0fe083dce7d3067d0d64f3b31aa9e07a722f584435fff366dbe4ab1b57bf0c264da5ccde37

Download Submit
C:\exc.exe

Filesize
96KB

MD5
f203ff3528f804ebd2b28bc65e5137d9

SHA1
9e72ad7fcd7fe71daddb58dadedb6c7979c23915

SHA256
165de33d0dc69ff2de022ca95295225c00f697a4b4fbb1aa2d1a00314ff2e553

SHA512
ed415b072baacf7e2673d75220981f45868be8ed6a7d39902d60396baef2fc1e96717b1ed4a7c198ed3cc18fea00c0b8a57fe3e75b49c5bbccffd196f520c87a

Download Submit
memory/984-57-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-705-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-537-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-386-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-175-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-309-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-316-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-362-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-356-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/984-51-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-308-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-355-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-361-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-315-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-385-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-536-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-699-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1972-47-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download