752a8943fb82316c70333d28229ce8cad07388caa31eda8896e06d405842d361

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

113KB
MD5

40f4b2100ace82e3974f1d0968799ec6
SHA1

93d75a452b6078166b2b5076786fe8c71ae2d761
SHA256

752a8943fb82316c70333d28229ce8cad07388caa31eda8896e06d405842d361
SHA512

40df6a870fb195bd1ee2b64b71c9af05d6608d764aa01b1b6ec12b34cb956c3ca7c1b4c6fcb62df11763634ebe328ae92a2b0dcaba6300eecd030712b958bb61
SSDEEP

1536:XdC86GfJfdf7HNGGHZDE6vmqH30Y7AR+0cNjQ3Dffms1SEH+z4VGG5lHhMfM3OBC:JAU0yjOmE+0SOJR

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

drweb-12.0-ss-win.exedrweb-12.0-ss-win.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\458DFCD474338B8C\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\D0FA19A2D.sys"	drweb-12.0-ss-win.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\458DFCD474338B8C\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\D22901F02.sys"	drweb-12.0-ss-win.exe

Executes dropped EXE 4 IoCs

Processes:

drweb-12.0-ss-win.exewin-space-setup.exedrweb-12.0-ss-win.exewin-space-setup.exe

pid process

4472 drweb-12.0-ss-win.exe
2704 win-space-setup.exe
4364 drweb-12.0-ss-win.exe
2544 win-space-setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4472	drweb-12.0-ss-win.exe
2704	win-space-setup.exe
4364	drweb-12.0-ss-win.exe
2544	win-space-setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000eb40c78f8f3426de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000eb40c78f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900eb40c78f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1deb40c78f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000eb40c78f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

win-space-setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	win-space-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	win-space-setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 948694.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 948694.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4468	msedge.exe
4468	msedge.exe
4592	msedge.exe
4592	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
1892	msedge.exe
1892	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

drweb-12.0-ss-win.exedrweb-12.0-ss-win.exe

pid process

4472 drweb-12.0-ss-win.exe
4364 drweb-12.0-ss-win.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe
4592 msedge.exe

pid	process
4472	drweb-12.0-ss-win.exe
4364	drweb-12.0-ss-win.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

drweb-12.0-ss-win.exedrweb-12.0-ss-win.exewin-space-setup.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4472	drweb-12.0-ss-win.exe
Token: SeLoadDriverPrivilege	4472	drweb-12.0-ss-win.exe
Token: SeDebugPrivilege	4364	drweb-12.0-ss-win.exe
Token: SeLoadDriverPrivilege	4364	drweb-12.0-ss-win.exe
Token: SeTakeOwnershipPrivilege	2704	win-space-setup.exe
Token: SeBackupPrivilege	3636	vssvc.exe
Token: SeRestorePrivilege	3636	vssvc.exe
Token: SeAuditPrivilege	3636	vssvc.exe
Token: SeBackupPrivilege	2704	win-space-setup.exe
Token: SeRestorePrivilege	2704	win-space-setup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4592 wrote to memory of 1600	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1600	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4468	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4468	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4256	4592	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa088046f8,0x7ffa08804708,0x7ffa08804718
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe
  "C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\E58DB2FE-7030457B-87CD4BAE-5C8BB12A\win-space-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\E58DB2FE-7030457B-87CD4BAE-5C8BB12A\win-space-setup.exe" /distribpath "C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe
  "C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\72FCF52-26A98B7A-50566576-9F2283C6\win-space-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\72FCF52-26A98B7A-50566576-9F2283C6\win-space-setup.exe" /distribpath "C:\Users\Admin\Downloads\drweb-12.0-ss-win.exe"
    3⤵
    - Executes dropped EXE
    PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9307063580948821480,4249892525957605923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Doctor Web\Logs\distrib-starter.log

Filesize
4KB

MD5
c1fba4dbba6e0d5dd0569aeb6cfb8f04

SHA1
805f16ce14e16ecb32f739ce059b3400ee80d4d1

SHA256
07945ba70a3ae793066102954151cc2a75603072287b3f4930de7dc5c50ea224

SHA512
6b1a2307a371660104571232bee37fb8f2b61ff0df3feed2fe59d9259bbda0155232a442a438e2561baf2466bfb040a80e0a58c19f84301cd3b7644c7ae733d7

Download Submit
C:\ProgramData\Doctor Web\Logs\distrib-starter.log

Filesize
6KB

MD5
6c1f0b1e40efae9d6417f63c1c1ec6b5

SHA1
68b1df6a1bc5d9c2c3a6e090b296e0ec133decab

SHA256
3a07f70c9152109cc62b8a2a5fce50d6e31b23591da77497732e096f47dd471b

SHA512
40d591f7853988511f1da7a7e8abf04828d2fdd713d7203bfe7be06c8cdf5afea789529c954c7d8f118f26991b62e378bdab41b14c7348505e48a389e62b7e65

Download Submit
C:\ProgramData\Doctor Web\Logs\ss-setup.log

Filesize
136KB

MD5
a45d9186453834fb9595eed2e59724f4

SHA1
0cf258a241fb40cfa9dec3902e848ddd656cf1bf

SHA256
5e1400afc416cd9093c3ae90d6a71f0527dcde0da35ab4a18ad8a0a760635f41

SHA512
ff6a30b63dbfbc24ae7a0fbaf36b9df9718926f05cf68c6b90926724ad4d54daece2c48434b667f021b16715197bcd492073ff4454aec1e7cd2915b569a84120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
150KB

MD5
df0b0b94b85a2d9869fcc88e345880de

SHA1
5bcc905629b74e231b3c6f89e28dc915ec936d0d

SHA256
2c4d6fe8fda737b8e22b3d12e1b40a69f68c17083138e935c4da36f453fb8dae

SHA512
41cfd664a2cb1fd55433d4b11c6350e9d55218bb1dc392b4f3d165fa02f62d80d496fc75009a00a768ef82e795baad5e5b11b1a9c60acb6039ba2b9ae60522d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
72KB

MD5
b04f20981988e0fec824f237c93a832b

SHA1
6f78311ba21504d31dd5baa2be1a12253317f03c

SHA256
a269c627d312c3062da73bb7d4fe2f812a09d417235740d0aa3af3b73a3ce3fc

SHA512
068d2e3c5214a851e8b0ca5fbe843062111bb0f79f93d8d9a7e8d4190a4066297110b60ad5b57aa36b7111cc7c8b624493ea030f034295ce81dc4439408b0ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
48KB

MD5
3aa5fe776baa6da67bbd9b8d42994852

SHA1
6402145dd76e8c5dcd504e59e8732ef12b52f9c6

SHA256
b77b6a78c906fd2fe5683709e8dcae51a196229bb37bb16e9c971067f3fee0ad

SHA512
ebae5b71a7b62a657b6c165768abd477cf5a02847bbb3f2150293a159a0b2450019b80d82772c9315a3f7469818054f042a24c7a03546438d40fb862be5b16cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
100KB

MD5
ab5b722ee2b8a1fd83c62ef62a07c783

SHA1
abb83d178929f37f6b7454430f68f58603883a2c

SHA256
837456f6c0e84bb36eef503c0432f5ae49da99d7b949710b078620f6e659acf1

SHA512
6adde543f5cb6988061eb730c5a34cb95fd4ce4bf1188447ec9c5a4cccf9d1312b16cd5d0e2d75fd33f6f5d5740483af3770bb4ff1b2affa3b048680d033e07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
28KB

MD5
d4bd2df621c0ab66d099c8aca1952e6d

SHA1
718ee79e97c42fea858f8909c7d85c5c84fb4042

SHA256
fba42054c4e1e8b653f93cc2cd20ff6333d9d8ec37d978037cd7915b7b97330b

SHA512
44a34a6e978105155a42dd7bde79ea8c0cb0dee56736df5f856f7b97af2c05ee4c705c0db1f138ad8da02c8eb85d9361a4b837520590bb74af01da52fb6b2b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
34KB

MD5
8f5683ddedd295d5d10d43715f28a5ca

SHA1
025e69b189b50b49e5ae10ee64348208cf4159a1

SHA256
2a153eddd08e512f4922f049494f4ecf227f9fc6c6697e93ba66f2a4ab33cfb5

SHA512
1dadfb0cd5fc524e936ae28e66fbf4875604c4ebb42d77a51671297a0024e988ac700369d3c42a8030eb8245439bc49b8f1987ad6225d9e2f2e426481bec2187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
71KB

MD5
9e151343dc96c33765b0cd5aa2d72922

SHA1
18fc3fb652e6dec25d29e7802c093d0dfefdaeaa

SHA256
131fb76155635722359fa3ab0fa07c14f3031f6134b6077e71b0c3e4d8b4154f

SHA512
fd95dbe5e12599c62abb121f6c678191c98d25b57f322392d99b4191cc1d2ef115adb37ffb7dc581148ac4d340419fcfbc02e47dd4fcbcc02d1a387ccacb9739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
20947851fa23c630de87854d7e7cbd9f

SHA1
4e1b6c1ecf30f013fb3538511bc7c821412c27e7

SHA256
66d311f882b2f5866402868cc36086676f7c20f676dc3c7ceff4c9a6ad786b5c

SHA512
3bcb4231bc14c0970636ec6ce6fe097e97af75140b5d4419a3e22c0411b84785ec969bfffc08bcf58b5817419b5ed10a11e545d2a3351aaca0a4db3ef5a5a5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cba9628b67e72c821b34b76c586195a9

SHA1
d09d4a27731db3eb74dd6f81ec69fb55fb8333e7

SHA256
6f654d4db00dfc6a43085ab59532f85e33dd827b253fb40bb05a25642b1bcd81

SHA512
6ae3a8f3fcdc63b2b10de454d8aa37a3736be8e93263d20e88e2e25821e024e65791e0f5ac2788113802e5e2c7786ac19b96d64bd0a4884503dc17536b6b7a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6db94da15253fe542742317b61f2f0e9

SHA1
61d6220fa990f1d7e717fe8da6d62e3fee195805

SHA256
085c52a0aff25d0f435276893f070b66e9d157c3cc4ae5a9b2996ebd2a5687eb

SHA512
a7b2777a7418a0a1cf5cf693910b2776fe85ae962e632da6096ab1c3e05ad49e83f46372a0a3b09f3d8f915f0c441f905d805c49aea681eced23abd46998d87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d188e63e000312daff81933c522916b5

SHA1
ed1a8e5ad489f0875284da398fb5f0458452318d

SHA256
238089891ea5bb1669c2aa6f36f6e2951b9ee76684efb13db4b44655edd49835

SHA512
c02e38acb91f170da4ec722302c9deecf8e9628cdd1255d009f5c3c883ff00c4a999cfe8bc17e37aafd39dd4039f84a294376b801b27a4217969a0c99a5b2362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
111b8321b7391195f09e1e4c28172925

SHA1
e824bc4d46704a592a7ec6bf30b4e8926e6948f5

SHA256
4301aab6ebb60ca83c6c1530ec6b971c5b1566b3748a82a0667813d77b8ed986

SHA512
1e8ee329c25ea02eac6b1f238d5ffde044fa2d9dd7eafcd7a504b14024b12e59a1e6288b1b464daef440c5c3a6ecdde3905a6e958ee1009ccd9eb8080fb60027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5498a69f40582f86f807e6541d643536

SHA1
a71406282a2e653a583375b33a460e3426a0af8c

SHA256
032fc66b2be96549f3bed953c870de78f8e909a685247a702107b5d6ad009e48

SHA512
5eca864d05ae8060591eff95e627940f39d12a3befa8497f28a71b9d09addaa96ee001de0e3963c0d1e8b5b91cb1fcedc835f058749e88fd4f4ceb03c6f57b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebef62867b82493040348fb23128d49a

SHA1
6f0e119f1f41eb48c8fc895076358d09f29afab1

SHA256
de71d71677841dae071dc4a7198ce2100b508e14e17dfb840e957e738e404225

SHA512
eb89a5c1755eca14dd7f687d5b2a1c5d667e5c154e752a9d31f21e21f7cc58a7d46819b0f7d18f6e9c95570747026050b2bcaa78f79e002d677b066747e9e46a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfc3e023fe031b0ae77efd97a297c239

SHA1
d012c11821960ec598e8de34658f2fe42ac0aeb8

SHA256
7038f35fbf4235901ce9a0252b347999b09de658a71a760e2232f6251f5a243c

SHA512
5ec85b4622ad7f880bc9e71e0117c00a8fc2a72a5f857652ae889a928e9149b0d22c17d88703dfd876ed54899795ed2823deb691c9072953278ef92462794f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
387bc4e6b02a0d56a847fb7fdbb84585

SHA1
8558f7b1989373e734f498f29407724d7ccf7c5b

SHA256
f97a1a573ee242213fe98e7f2555dd6856203b0d9912b633b2056aa92e9dc0f3

SHA512
9993a43d53802de45a0c5f5067281ac3c2b1f00f946d8434754e24ffd1631a110cf0c5997b07f39f91410c5cacc322c30d92dc050efd1ccda9b9e83f43559b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
43b0c47edf23e8b7f24e07b708e34e9c

SHA1
f1499080d7dc8a1fd5eb70d0c8c811d78bbfdc8d

SHA256
7a91f528d4acb36d1f83868caa3eb67e0d77ce02603943efa55c802ee005da1d

SHA512
728a419b5a74709c77a52fa5b3fd118b165af58003fad6be78ab962835521a5dd4b9e6c57c2c4adcabaf7de445835b30316740f3e4526d0714c5f7faf57f54e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bf68.TMP

Filesize
203B

MD5
983ee4deb1b0dcfc08065f747619ccde

SHA1
ef562450b0428ab97ffd5914904f9b608ed0db95

SHA256
4a73ab11a836d760d149cf3674f733057294b715076e139433d5042432c72dd3

SHA512
5c4e84e48ee41d355f840329decbfe9f3400fe381283ec5c356651808a5d528abc0b8eb2eb58b4790248a0955ce9fa7c1cd8471b498f28209ef8f44f0c1e5a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c69a57ce90f380c37ef7eeb7ad6074c

SHA1
a72ac1aeba1046355620ed426ab45c5d68ac7284

SHA256
c108f9dd6ce59f7a517b476038b9b30d96a1f0e9ef7106e5bd262c45fb6564e9

SHA512
82421a37b6934a49e8fcba0ca6e3fdb7550390de86cbd26412f44c776f4c8ff2245b6e64707e06460c359d90870ae1fb2291b56c0b9e395a2d7b4a2104efb35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5366214281a79aec153e4340b3cc8630

SHA1
031dc377573701fd538a402d00935783a4972be6

SHA256
c0c06c04fbca2ccde4fd175c309f651b88ef9c2d23d1487f17dae153785e6cbb

SHA512
c64e204c25892b4fdaeed9f19fe378a9969b78f5556f593659fa903005ea7c2352ca2979f9def6ec45e1df4200f472f844a8c1b1cf2f3ab23025dea5e0caae93

Download Submit
C:\Users\Admin\AppData\Local\Temp\E58DB2FE-7030457B-87CD4BAE-5C8BB12A\win-space-setup.exe

Filesize
12.4MB

MD5
b5c16081f600e191daf634f3be96da93

SHA1
020acb870a6e465980b67ce8cb066913b32267ac

SHA256
b2749df3b0672acb02e8fc1e96849c37edf0fe0e90cca3ce985f14c96abc5537

SHA512
ec58401b2162e2dda3fdc461fbef6256af25ebfcfe7460df9ef71500f4dacd844cf383203f12d9b87afa61d2c5537999b7dcdd5419d074bc14be0476c6a98c22

Download Submit
\??\pipe\LOCAL\crashpad_4592_NTDRMPJQBRQBAFCF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit