redline | hxxps://www[.]youtube[.]com/watch?v=0PSj5tkdFIc

Analysis

max time kernel
64s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=0PSj5tkdFIc

Score

10^/10

redline xmrig evasion execution infostealer miner persistence spyware stealer themida trojan upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-1043-0x0000000005210000-0x000000000525C000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

sfasfafs.exesfasfafs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sfasfafs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sfasfafs.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4476-1266-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1272-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1273-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1270-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1271-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1269-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4476-1267-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2004 powershell.exe
4252 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2004	powershell.exe
4252	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sfasfafs.exesfasfafs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sfasfafs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sfasfafs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sfasfafs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sfasfafs.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

38.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 38.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	38.exe

Executes dropped EXE 13 IoCs

Processes:

38.execrypt.exesfasfafs.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exe38.execrypt.exesfasfafs.exe38.exe

pid	process
4180	38.exe
2056	crypt.exe
5928	sfasfafs.exe
5312	7z.exe
6028	7z.exe
1096	7z.exe
2732	7z.exe
1508	7z.exe
3880	Installer.exe
3344	38.exe
5408	crypt.exe
3424	sfasfafs.exe
2868	38.exe

Loads dropped DLL 5 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe

pid process

5312 7z.exe
6028 7z.exe
1096 7z.exe
2732 7z.exe
1508 7z.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5312	7z.exe
6028	7z.exe
1096	7z.exe
2732	7z.exe
1508	7z.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\sfasfafs.exe	themida
behavioral1/memory/5928-1054-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/5928-1051-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/3424-1128-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/3424-1127-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/4356-1144-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/4356-1148-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/2332-1161-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/2332-1162-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/896-1163-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/896-1167-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6104-1168-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6104-1171-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6036-1176-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6136-1175-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6036-1177-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida
behavioral1/memory/6136-1174-0x00000000004C0000-0x00000000009F4000-memory.dmp	themida

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4476-1265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1272-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1273-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1270-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1271-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1269-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1267-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4476-1264-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sfasfafs.exesfasfafs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sfasfafs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sfasfafs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

sfasfafs.exesfasfafs.exe

pid process

5928 sfasfafs.exe
3424 sfasfafs.exe

pid	process
5928	sfasfafs.exe
3424	sfasfafs.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1400	sc.exe
5868	sc.exe
5876	sc.exe
4892	sc.exe
1008	sc.exe
6060	sc.exe
3404	sc.exe
3224	sc.exe
5672	sc.exe
5156	sc.exe
5272	sc.exe
1700	sc.exe
396	sc.exe
6000	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sfasfafs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sfasfafs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sfasfafs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

Processes:

Loader.exeLoader.exeLoader.exemsedge.exeLoader.exeLoader.exeLoader.exeLoader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exesfasfafs.exe

pid	process
3084	msedge.exe
3084	msedge.exe
4456	msedge.exe
4456	msedge.exe
5260	identity_helper.exe
5260	identity_helper.exe
5708	msedge.exe
5708	msedge.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe
5928	sfasfafs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

AUDIODG.EXEcrypt.exesfasfafs.exe7z.exe7z.exe7z.exe7z.exe7z.execrypt.exesfasfafs.exe

description	pid	process
Token: 33	4828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4828	AUDIODG.EXE
Token: SeDebugPrivilege	2056	crypt.exe
Token: SeDebugPrivilege	5928	sfasfafs.exe
Token: SeRestorePrivilege	5312	7z.exe
Token: 35	5312	7z.exe
Token: SeSecurityPrivilege	5312	7z.exe
Token: SeSecurityPrivilege	5312	7z.exe
Token: SeRestorePrivilege	6028	7z.exe
Token: 35	6028	7z.exe
Token: SeSecurityPrivilege	6028	7z.exe
Token: SeSecurityPrivilege	6028	7z.exe
Token: SeRestorePrivilege	1096	7z.exe
Token: 35	1096	7z.exe
Token: SeSecurityPrivilege	1096	7z.exe
Token: SeSecurityPrivilege	1096	7z.exe
Token: SeRestorePrivilege	2732	7z.exe
Token: 35	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe
Token: SeRestorePrivilege	1508	7z.exe
Token: 35	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeDebugPrivilege	5408	crypt.exe
Token: SeDebugPrivilege	3424	sfasfafs.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe

pid	process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Loader.exe38.exe7z.exe7z.exe7z.exe7z.exe7z.exeLoader.exe38.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exe38.exe

pid	process
5156	Loader.exe
4180	38.exe
5312	7z.exe
6028	7z.exe
1096	7z.exe
2732	7z.exe
1508	7z.exe
5988	Loader.exe
3344	38.exe
2028	Loader.exe
5696	Loader.exe
3696	Loader.exe
6068	Loader.exe
3976	Loader.exe
2484	Loader.exe
2868	38.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4456 wrote to memory of 4364	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 4364	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 1528	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 3084	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 3084	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe
PID 4456 wrote to memory of 812	4456	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5156 attrib.exe
4568 attrib.exe
3652 attrib.exe

pid	process
5156	attrib.exe
4568	attrib.exe
3652	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=0PSj5tkdFIc
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef7f46f8,0x7ffaef7f4708,0x7ffaef7f4718
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3300 /prefetch:8
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
2⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
2⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
2⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
2⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
2⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
2⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,12522130666626266666,1474099970065783061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2252

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:5420

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p26489142026493027755422784 -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5312

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6028

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
4⤵
- Views/modifies file attributes
PID:5156

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
4⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:4336

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:2708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:6060

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:1700

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5272

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:4952

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:5740

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:4568

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:5328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
5⤵
- Launches sc.exe
PID:3404

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
5⤵
- Launches sc.exe
PID:3224

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:5672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
5⤵
- Launches sc.exe
PID:5156

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5988

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:3400

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p26489142026493027755422784 -oextracted
4⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
PID:4952

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
4⤵
- Views/modifies file attributes
PID:4568

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
4⤵
PID:3840

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:4356

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5696

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:3940

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:3948

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:896

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:3976

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p26489142026493027755422784 -oextracted
4⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
PID:5688

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
4⤵
- Views/modifies file attributes
PID:3652

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
4⤵
PID:4344

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:4296

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:2332

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6068

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:2192

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:736

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:6136

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:3084

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:4676

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:6036

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:3032

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:5244

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:6104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1728

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:3036

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1400

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1700

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1008

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5868

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:5876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:6000

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5788

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:1056

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3188

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:5800

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5952

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:4476

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
PID:3864

C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
2⤵
PID:1796

C:\Users\Admin\AppData\Roaming\crypt.exe
"C:\Users\Admin\AppData\Roaming\crypt.exe"
2⤵
PID:5060

C:\Users\Admin\AppData\Roaming\sfasfafs.exe
"C:\Users\Admin\AppData\Roaming\sfasfafs.exe"
2⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
46KB

MD5
b4e4c40ba1b021933f86142b1010c253

SHA1
8901690b1040e46b360f7b39ecb9f9e342bd20af

SHA256
a1ad4fde10e0f378aeeb97ec0aaa27bbdba9ed434a0334052f0230e09fd891ae

SHA512
452cbfc40d99d69d65271ab7a6fb62c87d123813fe20898d13b938c13d54efb2e33eb04e165f18e9e91b6a0d02b3282b8e3bf2b8c65efaa974022d14c07bcfd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
221KB

MD5
56204da36404033a43f127f76d9486d8

SHA1
fe2e96b81be503fd36c691bfb7b25236bcc4066e

SHA256
1aa4233495dd798d7b55138e5b27a1d73d84fc71ba184d314a08d4f84dccd7ff

SHA512
d589af9d2dec94cb6e2cbfc5a90ade048f24b123d8f2257b4467b0ea01a01b5a9ed351da1765f337c9b97c251451f7680c07b3f97ec66e3d91627c148ba34903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
32KB

MD5
f608f6949fa920ceebf1e456a41dfcf0

SHA1
c01b33d544b9f2bf8b7e82fe3fad7139efdc6d62

SHA256
860b97b6695f5a1b7766bb36ac868fe16d0e8c4e7d9aacb7333ea790ae1948a6

SHA512
1ca6e96f0c3768656889ec552c3e9636c184e0c91921883c82527e9bb5ab927db40d48c79dbbd3962b35a668d6607484d7bc0223dc709aa4fb79f53ee36be3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
32KB

MD5
94fd864eff41d2466c55e3d0d47e92c7

SHA1
2c8ab5e8d1ac7f09af3c09de7575f8ad55706094

SHA256
b7b245e311013279605a274aacf18e2f9314ea6c275aa4c54f7676c63f9b9248

SHA512
4e1f2656222174c5442a5af47a63bc56acb71d8f34809aec6f33e15f6e15d6e8e81f72a8aff925c09bc2d4a0d9f55b408d7d8dcb7ec01519e431a3dd28e1f682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
23KB

MD5
e39b6cf311ba32121329e891bbd5d8ed

SHA1
b7c0f44c75c46ced9864b9a1543d4d8ba7f98219

SHA256
a1edcc8a3157c491ce4f40f425938446f5820bd652c79cfdfed43597d9f5fc3f

SHA512
2d555c51fcee9f10f17fc3029ba6367262572280b9983f90e07c9ce1603e6b9739ff0bc3ade14f33d7df91d66a6d72535208b4cb1be5d356d6449fe086367ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
816B

MD5
18702eb7341c141aa4f3ee93f52c2779

SHA1
8ccf2f86091063e239abdc430e0947727c40e414

SHA256
1ee09618c946d03aa4d23b259f1ba5da8cc3cd8173ec85cc160f9bb24d264f1e

SHA512
f0abb47690663c08859fe09dc29981baa48dc2523a766be4f40a9977f57281e86668dd6a819c5c9edb10e3c1f09f2e3e1737595a68d4109fdd926936e7ee0983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
4e4868943f9aa68019e93a732f9bc868

SHA1
b1c3a4b0a57145f91cba4297029a1bc313878ef1

SHA256
cf33f9884d54a2639b037f0d4acab917dd1a6b034766d7f223e0bc486017f3ad

SHA512
7344b88b2560166fe04972e948da266400452409a157d02dc91c3ad9817cee86d230ed07fb18dcff77bf138ec2f83f4141bee5ab29de06d0e174feb41ad526ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ea94c41a6d8b2cbc873337538d7e7b73

SHA1
a1668743c16e0bb7fd0292a4793990332ea4ec97

SHA256
76dd0425af069512f8e660fdadfd51b3d76c2cd6b9fc1457636965686f75187e

SHA512
919a289febe6a2a04711265598f67acc08b8ab3e64dcee74423f4a52dbfe43db4a77e22c14dda96dfe249b1dacc4e18581f656a142ce123b084a493ebcab831e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a89f86656927f47b41e165615f983833

SHA1
91cee526148da1a88c01c7f6dfcfb3be6dde25d9

SHA256
e94ac9ec41f34046c68ff4f99a54c59597675776d557b1e5482acd61be1188d5

SHA512
e714aa1398e6945bdc6f49e7c9650f3893131f7d811d4cdb0e4f79ebff9cc6bab0c62d39cb718d55e57f1e3e8da5ca5c49c245c5e5e257f51b0f9bb489023af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ad89a44f21987da8db097e19a90b8d7f

SHA1
1a1b9e02801b1843a6fb67c7090d3393405cb8d7

SHA256
dd9a8f099b19b3415c9336955d20f4f6c26cdd8498de5efb66980b6d03e9f0bb

SHA512
a192dd47f2a2cf40f66818b057eb047c097ebe4a36cdc6a5783e393e699408c633668f1b41e5a895d5466f2a9c9a3a5e380cc0d0b103f92d32bae15550310c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
720aeef2ecbf9a2ce58974d9a583069e

SHA1
9effb1e8f7b14a1da2f08215b33915e614b8019c

SHA256
e475137db2551a922e7f2a558fabc4f9252ac86c7bb5ca86b708772884873e7d

SHA512
15984ba05642263432aa7518e9723a43fa6d076b2d0ea89800c5909bcd5ae70e876f7ea6100a59e92227909461a88c92c8ef9b36e5d4bd22c632e8b1f6063531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
fbb2a616d2c52a440445cf32ac77cf9e

SHA1
690413fc111f84ad4754f1502f5760422fc7d215

SHA256
c1db67e7c1dc494e99e5ddb1f0ad5eba5db84969933fad45523c5f3838d0afec

SHA512
21663f3fe8d58fd74e4b0cc29a238bd65a957242529fed96d4ee39ad0781abb8af26dbac143e9ecddf7653faad45dae0b45f4940fde1e4358a7298a05260cf6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1d765b56-681c-4a65-8242-265bcaf447d6\index-dir\the-real-index
Filesize
576B

MD5
18b14cd1a4b249f0270a5b4e2e368e98

SHA1
483c83f8228c83935e1f8f7a8ce4a1e77f37a2ed

SHA256
bee26de466095c5014bf4093cd2d75fd38996157f91b82357bd0d45edb8645e0

SHA512
e3bb7cebfc81ba8b72d15f0b170b4570e38fec437efa6834d4672eab9c934d5eaaa4c403787acb638e3ba1d64c7da4a33649f61f32abefcd73eda8dd6f1131d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1d765b56-681c-4a65-8242-265bcaf447d6\index-dir\the-real-index~RFe580579.TMP
Filesize
48B

MD5
d3f78eb8e1b0c023f4888fd3bbe0d22d

SHA1
9b55c323bee343fe24667f0d7e2eade4c5bd407d

SHA256
cdec5e07273d2446cc0423c333bf5781cbeb839673581e084bf35eddf892e511

SHA512
17bee7583e04019d2e66fc608579881dd112ddc3add0928d0855b0d146e8d9b3ca8a6d66938cdecbae64ad0b48a2577b69f31070eeb7636a4ecd3fbbd7161959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\34e8596f-72a1-4c2b-a43a-230a322abaf5\index-dir\temp-index
Filesize
2KB

MD5
494a120dc57c0e009a7fa4dca99535a7

SHA1
53580f78d17ef7684e450b1f903fadc44c007e5d

SHA256
0948aaa855f57701c540ec9f636c630a2929432f2e784bdbb9c106da5a5971a1

SHA512
94c0cec9d0f8cc6cd7978833cd85d7b81787b6467cb974585022047c28d3a81dbde9adb9cecf7d2756f6b8efb92683a7402f3a0be9487c1fa9362f5cf5951015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\34e8596f-72a1-4c2b-a43a-230a322abaf5\index-dir\the-real-index
Filesize
2KB

MD5
2e5728c137f980b2b5e4c19077f38683

SHA1
d9da35df4de778b484496ff344aa1e9f367825bc

SHA256
02ccd5fc2e7ca68da3b37112b402dff19880c7935ba67c0a0f66c17de3a8ebe9

SHA512
41375fd7dfe1d55cd366f795deec64538602e75dfc6d55bc6b68c4efa9ed93f4e0e5cf3c2f28d9e5d6c739d5e79fa5e2e282deacd0b29589f5ad749eba71f2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\34e8596f-72a1-4c2b-a43a-230a322abaf5\index-dir\the-real-index~RFe57a112.TMP
Filesize
48B

MD5
f0de94fd06d3007fe1f106f0516c2cda

SHA1
0c90eb44ca623aa299e860d1439ac734fcc9c694

SHA256
78460b3354defa34fa6ebded574e17c0e00ea357c73c7c29c0e4ceb20c2583a5

SHA512
81f8077b481082dcedc7552c51da9bbe28e28301b15140d81a54c030d8eccde56db6d691c3b3155b9946291965bce9f599c1c3a6f9284a2c43171da3b70780dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bae713c4-4775-43e9-8fa0-a94d70979116\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
f8e687a0a95f02fe3f9f4522551e2f93

SHA1
7041c14f1b5ea0edb14e6b14cad802513f3a6894

SHA256
e8d930598ea0698f54be9781fa3e00353932cbe15237046ff34f3f32f0a04f33

SHA512
441a90a0a59596ab3a03dcb5b986fa5d214f471362521f2b829948ff4d3714bb2043814eb3590007ba0d91e0a53ac8bf281a84cba7b81c445d6d36abf0e1bb0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
148B

MD5
2581b652da5b57e30a29b75b94388e28

SHA1
c2f9e8c63014333a07f307179497b58cdad3c9f7

SHA256
225d7cf7b7c963a0dca49d8b5a2dfc6118295a5f61cd85379fe85fff74a32755

SHA512
5223cafc415575b93f30dff6d1f8ecb675552bf1226c525765aa03780a82cee59398a1284cebe59baa8eed57a5de3db43585f9e5ed704dc37690f96012873362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
a16e0f3f792afb2bfce053edafd57f7a

SHA1
444981a7195d0a34661032d5e2d7acab1b3626fc

SHA256
034fa4986b9f478e84b2b354316db05c258c84916cbdabcbdf8d8a14deba8536

SHA512
897a2057adfce22de4b349a42f153049897132e3ccfaac5daa984ff3bf4aa7afd5042b3c25f5c376edb4e51ae0cda0c1d1aac5c3af7d5daa25404354dc3ad99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
157B

MD5
c23b56189db41b24721472ce4db55a8b

SHA1
77d4b3793760a1a5966c04c9914285fd78b62e99

SHA256
adda6f712cbb383a88fea6078b3618f650ee2c68e9194c22bf622a74412469b6

SHA512
56e6cceb661fedb5e5c1f18897fe7983300d60d6771f7883e7b69243772436aa286fb5a8dadc8258e6fd7a740da39ec552afffbe171547f4adc3f068bde7c723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
749fba0781ea08a7fa12209acbfe05f0

SHA1
4a4ede9f4b6c727ef4e99c34f17f3bb3d4fc5c1c

SHA256
0ea1a0a90ab447ed1b5636d70a47b90ca61cec7f6c69277ce603120039e051e7

SHA512
43058c2da00291558de67d6ac41b750a6357618a012f862434e23baefe283f979168d4520ae79b56a733b3ea7df00e53c5b4337fb4449eab3872e4be903e8311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
153B

MD5
4fe3a3918c927e82980a2c125cb6e103

SHA1
60d0079d0b186d43ace6e9fd507ee73362fafc2e

SHA256
435178f4b88be57ebfbfe665425a9314dd5b8924f958b4eec1a3793c83590b9e

SHA512
d4d97f524a67e72e22b61eaee5642f7a9566ae13c6c5d80dd3d04f67693bcb8bdf3c9841ebda35cd59fe092283802af7a324d37750b5a459bbd7ad0e09c465ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe578a10.TMP
Filesize
89B

MD5
98dded7ae3ee6c72e2d0e9ff2747e45e

SHA1
52b34a90a431c9b20707e6abd08c52e5aed7786e

SHA256
7b5c71d2a3430df68601c76b42a11963ac22878c933e2ccf29adfa2ae822f981

SHA512
99968c156f1b8ec55a1030db45965e6cf0ccfd908ddbe8b94870105615bd9e4db3db44d4d1e7642102e732258c0d5c0fdb8bb0f182330f9e197b77c9e92895d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
6e9f7fadaa72ca4e648aa7a62b48ea44

SHA1
e90613ab2365fd840437f22f90c14d07ee7b536c

SHA256
097831f2bdcf5ac3fe3245f6c4b14af5a9ab3a77ccb4b44a1534d84af41b0d17

SHA512
a8f39e204e20321822dc1f8c008db681d3f179a14d6cbde1528bd4ec9cb1419c22f483c782ad4988baf87e5ce592d03601ef5ffe185aa31a40e64dfd422c2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583a45.TMP
Filesize
48B

MD5
51d08d3b48039cefe2d70a182f9e2a60

SHA1
049d2d269a8ff55a91359fc76220b1019a2c201c

SHA256
e5555f56565a953bde42debffca63ce4ee48aa5b1f6f35d45267c3096a50846a

SHA512
829b201974ba053678e98a52d500662c4bc68149594e25064d510c0692c0b0d88dee2a4ca556e061efbb93599a38a5ad6105ae73b23ddc8224956a91c4328263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
b95b8bd5348e330022a465b613677059

SHA1
114f470611052ef747526faa72fe79d22a0e2bff

SHA256
0c3662e50d65a2fdeeec7ae521e49d69662e536c0a0b9bca5a20a5dc56795539

SHA512
e5956641dfa059c5c74556c70c6dc78fa7845c2fdcd363c63e0dfd4a9b089567b1e7f5d5eb4a53a0289f2320a76861820e5c79ed904fcfc734508d8b37164c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
6d5957f9c66316291a8f10e79425639f

SHA1
a102b4ec4fd9476eb062a455c0927819dcabc808

SHA256
e0454ef087122725e1efe7663499545137d19ab0449b61b9f04b39c717172e5b

SHA512
e6e1df7b9921458b62c724a7a47378512d09c2e9695c383fa69b597025fbedf3ed8c31a91e8b3c7d197c7a9dc4b200a67f09ac1e0c0ebbb12d1cf2e897ced85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cfa4.TMP
Filesize
706B

MD5
921ea74353e37c90c1d7769f955d50ba

SHA1
24937734d921f3393d5db72407665601504042f3

SHA256
8960df10599b1f301b63192173d62ac25713d645a311e9e05c331e1d987f46fd

SHA512
78514cabe7365fd5171417a29327e216d341fff4787ad201b036be3941309d9a20c5012ccb3737447633e84841ab6487bda7ce090019dcc0610329b449698ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c69eb0850fb1dcaa198923643dcc231d

SHA1
0a1500a8b356c6c4864c652b17489eb9ba07d58e

SHA256
33b437604059254bdf9cfe1a8f17fc19c497469c0b414e1b2f0c4624f48cf871

SHA512
edf3c0791af01ce34274c2f8ed443c3a71f3780c746d3a4238492cc10c3e53337528ad57989cd85c9838fcf41e186bc4813f4a52d0ed95648ecba797cabba7e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
47b9fe616fce9ee2dbe26910eb6b6678

SHA1
fde81cb8aedac3094d0ae677d0b92fecb3b54421

SHA256
364ad8daa27d61846a15137d6435dcee1d561a19009a64475444888f183b66ab

SHA512
1ccc0a092c654d9ef4a1bcb88cd0cd46e94acf59fc0bddb44aaa1af650b8d79546c82abe861212728224a4d113249db88855573efae387f3f391ab741f43e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpjttqnz.f4z.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
Filesize
2.6MB

MD5
602feb5ff383ac566c962479ba16df16

SHA1
3ad3399a00d02664308939671f0e5713b6634aed

SHA256
68cad5ffe95d00744da3492910ac18198071bebdd4bcea2f9752338e41589749

SHA512
e632bf079a38a657611f51dc1b4d9ea3b0e6533c1e510eac57319b8582f0d3f977eb32c3a5014cf77197ba78c844e6c79e3842128e7997fbf8f141b27c52a1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
Filesize
2.2MB

MD5
4ef12b08df90e136d3e7e9195d8dcbcf

SHA1
ff8d575cd993c8210723d9f7ea3455f4ee2ef2e0

SHA256
84c4bf07c7eed711e3f180b50ea38767be04308f045e8d86d4198a9ae15c7b55

SHA512
23fda98b916530591626bd427441728335c814aefbe9cd494c986c4f78b90682297ce1045d766d5c390080d31ff85986cc577600a2d3ff22d3f57fec3b8f205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
2.0MB

MD5
c257314fcb6e1e0ddea529a7948c3961

SHA1
f9df04f148ea57e9317dfb518c70adc029bda2cd

SHA256
a20cb34bf41ce00431d1a4e69d7847bc9ee11a11b22a32c94427f945427a351a

SHA512
edcca70ce39afd9388f9f4b84118a2b7212f40590d9086e52364da6b2e53178d5de8bd0d7e1d880c5628b364c84f2dae056d71f2f3880ea566d4dcdef0a41b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
2.0MB

MD5
4b6203e2cf7023650b42801c10dbce11

SHA1
972b23ba0beb37e4ae541fe33588813eddf83654

SHA256
6027a2a5a2586572b8aea8b130d761552dfbaff838afd39bb6ca9301077e82e0

SHA512
aa8258be8bdc8e5e5a6bed846ec2aa210bf00fd5dc0f5ac2d198aebd22bcf29c47f6e5b391765339f9932a0ada62ba46c4782552a73a8eb1d503430a01b71df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
Filesize
2.0MB

MD5
464a540d4b2031343b09735d1cb77506

SHA1
febbf0d27e13dfde951d20a7ac9d1912bbf5a9d2

SHA256
a98525f6c8e9fc06996dff3372e1110c4b409e407929cfce1d40a8e513436f18

SHA512
30abed56d0044fc925f61b12fe6f6124349af1c32acdcac1b4d8c34ef70cd33d8b0e2485a5fdb057176ad3f832b275cd635c45af1c0908c6f77480efd9aea0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
Filesize
3.6MB

MD5
026f95cd1fb5b230eef2804df09acee1

SHA1
fbfda7c63bae57da453582500129278db58b82b3

SHA256
24e341c1da4163c36b6819f0aa12aa48f88022ac289a58031fecfef9d537b57f

SHA512
55e964ca2990dcc71172661c5543c01ac2707d23283fe262868c950afe08668b8eba7983e6760ff202065834c2e5727c17e6b2e0dfdffba297c505138dbf2a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
3.6MB

MD5
6b740b85daa0a853bd476907f4836ec1

SHA1
63136d345249805fe5b767f603800118bf0b5d51

SHA256
d131260ea3853686d057f2f78efc81c7b780ee834a7630906b3daf64e5161b4e

SHA512
01d8befd36368e00a30947c20b93eea5b0a80e66282564433b9135703398b33267d9c12cb5c90b8b448c1ee1051c905c25cb50cf801f365d3793b43bce6e5ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
472B

MD5
6856047982ae63d85c7b104fce33d72a

SHA1
3d98e93f3c48707e2096a13f23871298e837f754

SHA256
a1ee8b438847fda0acc1a668cd891ab6bb7e015855e954aec19c09cf8c05f16b

SHA512
79c06d28d135b3dc9687979378a85a741659241002de77d9a45a53e802f271f78377a13749c6fe849cb53ff2bc9d273579c0cf8ab3124a7b7639f98b018750b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc71B1.tmp
Filesize
34KB

MD5
c0a4925e078e3234f7761551c37b62f9

SHA1
c7708867845c558b3b206c47367abc032b7ebfe8

SHA256
a037dcca6c25577e84117a43d24b81653318c20183f5f41053a9b95f64697505

SHA512
86daf9dbe9c156c9565b95b18577e26848b9dc61d4ba433537985c5b07f5ca97697b804bc9182e53ba4781de99d8239afbc77aca1632211946e55fa00e43adbe

Download Submit
C:\Users\Admin\AppData\Roaming\38.exe
Filesize
4.5MB

MD5
40ecc726bee273961d09301c0316af6e

SHA1
0a1122398641375babcf28a7feb24d1935011a7f

SHA256
477712f48e356d8c77224a1264dd765b1420fc8c0c318b295744a68316b3f055

SHA512
130911be930bd0911735de6eeae637843ab7c68b48a8213aa9b4dabee9cbfcacdb5d1eb927e14c5bec133bedf6a3c30d0a105d1c2e41aeea3338b9f431ef807d

Download Submit
C:\Users\Admin\AppData\Roaming\crypt.exe
Filesize
412KB

MD5
084787a02d925fecd0821303aab375ad

SHA1
d620d2d42a3ee9bb40672d25f93b23fb6f3bbd51

SHA256
49e3c6738e6d99770ac69d75adde05379910f67bd988c378a7ab53e146510de4

SHA512
d6e05094e6c1f407996ed3dcdf82ad1dceddb3f9768d59c9b86d573aeb13af7f13d65d806ff6e925197e9ff8f7ff50efaf32da45fcd514df83aec25043f7de68

Download Submit
C:\Users\Admin\AppData\Roaming\sfasfafs.exe
Filesize
5.2MB

MD5
27f4c8db69b471adac1d5ccfd0ff68d5

SHA1
4e66a5f0cf3019e4c095827429fe93c8b4833550

SHA256
5b1cfa7129a5d5d030d207774022ea3a7d50375c4a6a3291621a71641dda45c2

SHA512
b261ebf44443e6811bbd1ef4aa5cb5110676fffd2dcfe12cb709be65dfe29d1a285ce524b05c73a2aa51fdcca97b5e2fdaaa5e7e74313d7eb750f352a89d42fb

Download Submit
C:\Users\Admin\Downloads\читик.zip
Filesize
8.2MB

MD5
4e92b7bb3e5a81c4373fcedae5584ae2

SHA1
72bf3609cc0dd3a93ec7c06a1717fb6d6fbd689a

SHA256
1669b1510e7acb040fca88d84e363564bc931e550b51acfca5eebaac182127f9

SHA512
19bae138dd6602aad452c94634f6d50e30684b68b1a7207154d8d4df85440fb94b69a6cfb16834697544fb4c803917dcfefd6a50d097c9afde9769169a73f9a4

Download Submit
\??\pipe\LOCAL\crashpad_4456_WNKSJNDXNWQIKWJQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/896-1149-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/896-1163-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/896-1167-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/1728-1191-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1192-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1186-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1185-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1184-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1196-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1190-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1195-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1194-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1728-1193-0x000001E41E3F0000-0x000001E41E3F1000-memory.dmp

Filesize
4KB

Download
memory/1908-1135-0x0000000002F60000-0x0000000002F72000-memory.dmp

Filesize
72KB

Download
memory/2004-1213-0x0000027DB23F0000-0x0000027DB2412000-memory.dmp

Filesize
136KB

Download
memory/2056-1053-0x0000000008D00000-0x0000000008D3C000-memory.dmp

Filesize
240KB

Download
memory/2056-984-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/2056-1049-0x0000000009140000-0x0000000009758000-memory.dmp

Filesize
6.1MB

Download
memory/2056-1052-0x0000000008CA0000-0x0000000008CB2000-memory.dmp

Filesize
72KB

Download
memory/2056-1055-0x0000000008D40000-0x0000000008D8C000-memory.dmp

Filesize
304KB

Download
memory/2056-1043-0x0000000005210000-0x000000000525C000-memory.dmp

Filesize
304KB

Download
memory/2056-986-0x0000000007D40000-0x0000000007DD2000-memory.dmp

Filesize
584KB

Download
memory/2056-981-0x00000000017E0000-0x00000000017F2000-memory.dmp

Filesize
72KB

Download
memory/2056-1050-0x0000000008DB0000-0x0000000008EBA000-memory.dmp

Filesize
1.0MB

Download
memory/2056-980-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/2056-1047-0x0000000005850000-0x000000000585A000-memory.dmp

Filesize
40KB

Download
memory/2332-1150-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/2332-1162-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/2332-1161-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1125-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1289-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1127-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1128-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/4252-1248-0x00000185BF0F0000-0x00000185BF0F6000-memory.dmp

Filesize
24KB

Download
memory/4252-1245-0x00000185BF0B0000-0x00000185BF0BA000-memory.dmp

Filesize
40KB

Download
memory/4252-1244-0x00000185BF0D0000-0x00000185BF0EC000-memory.dmp

Filesize
112KB

Download
memory/4252-1243-0x00000185BEE80000-0x00000185BEE8A000-memory.dmp

Filesize
40KB

Download
memory/4252-1242-0x00000185BEEB0000-0x00000185BEF65000-memory.dmp

Filesize
724KB

Download
memory/4252-1241-0x00000185BEE90000-0x00000185BEEAC000-memory.dmp

Filesize
112KB

Download
memory/4252-1246-0x00000185BF110000-0x00000185BF12A000-memory.dmp

Filesize
104KB

Download
memory/4252-1247-0x00000185BF0C0000-0x00000185BF0C8000-memory.dmp

Filesize
32KB

Download
memory/4252-1249-0x00000185BF100000-0x00000185BF10A000-memory.dmp

Filesize
40KB

Download
memory/4296-1145-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/4356-1144-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/4356-1148-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/4356-1142-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/4388-1291-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/4476-1268-0x0000000000670000-0x0000000000690000-memory.dmp

Filesize
128KB

Download
memory/4476-1269-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1273-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1270-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1271-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1272-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4476-1267-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4676-1155-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/5060-1290-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/5408-1124-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/5928-1046-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/5928-1281-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/5928-1078-0x0000000006A80000-0x0000000006A92000-memory.dmp

Filesize
72KB

Download
memory/5928-1064-0x0000000006B10000-0x0000000006BAC000-memory.dmp

Filesize
624KB

Download
memory/5928-1056-0x00000000077A0000-0x0000000007806000-memory.dmp

Filesize
408KB

Download
memory/5928-1051-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/5928-1054-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/5952-1255-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5952-1262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5952-1254-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5952-1253-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5952-1256-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5952-1257-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6036-1176-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6036-1170-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6036-1177-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6104-1171-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6104-1168-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6104-1152-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6136-1169-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6136-1175-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download
memory/6136-1174-0x00000000004C0000-0x00000000009F4000-memory.dmp

Filesize
5.2MB

Download