hxxps://justd[.]my1[.]ru/load/chity/khaki/bat_vredilko_generator/4-1-0-2

Analysis

max time kernel
378s
max time network
390s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://justd.my1.ru/load/chity/khaki/bat_vredilko_generator/4-1-0-2

Score

8^/10

discovery evasion persistence phishing upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

7zFM.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 7zFM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	7zFM.exe

Executes dropped EXE 17 IoCs

Processes:

7z2406.exe7zFM.exeBvG.exe000.exe000.exe000.exe000.exe000.exe000.exe000.exe000.exeBvG.exevred.exevred.exevred.exevred.exevred.exe

pid	process
5344	7z2406.exe
4376	7zFM.exe
5200	BvG.exe
5172	000.exe
2032	000.exe
6044	000.exe
4656	000.exe
400	000.exe
5076	000.exe
4348	000.exe
6040	000.exe
3332	BvG.exe
6024	vred.exe
1160	vred.exe
5648	vred.exe
3192	vred.exe
3528	vred.exe

Loads dropped DLL 1 IoCs

Processes:

7zFM.exe

pid process

4376 7zFM.exe

pid	process
4376	7zFM.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe	upx
behavioral1/memory/5200-988-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-998-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-999-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1000-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1001-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1014-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1067-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1077-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/5200-1087-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1097-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1116-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1117-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1119-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1133-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1134-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1137-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1139-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1144-0x0000000000400000-0x0000000000758000-memory.dmp	upx
behavioral1/memory/3332-1293-0x0000000000400000-0x0000000000758000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Detected phishing page
phishing

Drops file in Program Files directory 64 IoCs

Processes:

7z2406.exe

description	ioc	process
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kk.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bg.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\en.ttt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lt.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ta.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\br.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mk.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uk.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lij.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\pl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ext.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mk.txt	7z2406.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mr.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\en.ttt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sa.txt	7z2406.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2406.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Win32.bat cmd.exe
File opened for modification C:\Windows\Win32.bat cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Win32.bat	cmd.exe
File opened for modification	C:\Windows\Win32.bat	cmd.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4692 taskkill.exe

pid	process
4692	taskkill.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeOpenWith.exeBvG.exeBvG.exe7z2406.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	BvG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	BvG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2406.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	BvG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "5"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	BvG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2406.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2406.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	BvG.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{27245C30-1908-43DA-A466-37BB7087FD87}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	BvG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2406.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	BvG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2406.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	BvG.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	BvG.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3136 reg.exe
5812 reg.exe
856 reg.exe
2000 reg.exe
5620 reg.exe
4964 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 195178.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

4656 NOTEPAD.EXE
4464 NOTEPAD.EXE

pid	process
3136	reg.exe
5812	reg.exe
856	reg.exe
2000	reg.exe
5620	reg.exe
4964	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 195178.crdownload:SmartScreen	msedge.exe

pid	process
4656	NOTEPAD.EXE
4464	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe7zFM.exe

pid	process
3536	msedge.exe
3536	msedge.exe
4956	msedge.exe
4956	msedge.exe
4016	msedge.exe
4016	msedge.exe
4808	identity_helper.exe
4808	identity_helper.exe
1568	msedge.exe
1568	msedge.exe
6016	msedge.exe
6016	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1380	msedge.exe
1160	msedge.exe
1160	msedge.exe
4376	7zFM.exe
4376	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

OpenWith.exe7zFM.exeBvG.exeBvG.exe

pid process

1476 OpenWith.exe
4376 7zFM.exe
5200 BvG.exe
3332 BvG.exe

pid	process
1476	OpenWith.exe
4376	7zFM.exe
5200	BvG.exe
3332	BvG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

7zFM.exetaskkill.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeRestorePrivilege	4376	7zFM.exe
Token: 35	4376	7zFM.exe
Token: SeSecurityPrivilege	4376	7zFM.exe
Token: SeSecurityPrivilege	4376	7zFM.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	2280	explorer.exe
Token: SeCreatePagefilePrivilege	2280	explorer.exe
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exepea.exe

pid	process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe
3076	pea.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

msedge.exeexplorer.exeexplorer.exe

pid	process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exe7z2406.exeOpenWith.exe

pid	process
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
1676	OpenWith.exe
5344	7z2406.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe
1476	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4956 wrote to memory of 4256	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 4256	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3692	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3536	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 3536	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe
PID 4956 wrote to memory of 2296	4956	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justd.my1.ru/load/chity/khaki/bat_vredilko_generator/4-1-0-2
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd66e246f8,0x7ffd66e24708,0x7ffd66e24718
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
2⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
2⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
2⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
2⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
2⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
2⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
2⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18422268539371492836,11680421466100392445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Users\Admin\Downloads\7z2406.exe
"C:\Users\Admin\Downloads\7z2406.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe
"C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3076

C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe
"C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS\peazip_portable-9.8.0.WINDOWS\pea.exe" CHECK HEX CRC32 CRC64 MD5 RIPEMD160 SHA1 BLAKE2S SHA256 SHA3_256 ON "C:\Users\Admin\Downloads\2_BvG.rar"
2⤵
PID:6036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Program Files (x86)\7-Zip\7zFM.exe
"C:\Program Files (x86)\7-Zip\7zFM.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5200

C:\Users\Admin\AppData\Local\Temp\7zO8111D61B\BvG.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8111D61B\BvG.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3332

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3844

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CDD1.tmp\btec.bat""
2⤵
PID:4928

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DC86.tmp\btec.bat""
2⤵
PID:3668

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E4F3.tmp\btec.bat""
2⤵
PID:5564

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E792.tmp\btec.bat""
2⤵
PID:5628

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAEE.tmp\btec.bat""
2⤵
PID:4944

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ED30.tmp\btec.bat""
2⤵
PID:5332

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFB1.tmp\btec.bat""
2⤵
PID:4512

C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F723.tmp\btec.bat""
2⤵
PID:5244

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1700

C:\Users\Admin\Desktop\vred.exe
"C:\Users\Admin\Desktop\vred.exe"
1⤵
- Executes dropped EXE
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7CE.tmp\btec.bat""
2⤵
PID:1680

C:\Users\Admin\Desktop\vred.exe
"C:\Users\Admin\Desktop\vred.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB08.tmp\btec.bat""
2⤵
PID:3548

C:\Users\Admin\Desktop\vred.exe
"C:\Users\Admin\Desktop\vred.exe"
1⤵
- Executes dropped EXE
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EC60.tmp\btec.bat""
2⤵
PID:5380

C:\Users\Admin\Desktop\vred.exe
"C:\Users\Admin\Desktop\vred.exe"
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EE93.tmp\btec.bat""
2⤵
PID:6008

C:\Users\Admin\Desktop\vred.exe
"C:\Users\Admin\Desktop\vred.exe"
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F096.tmp\btec.bat""
2⤵
PID:3588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\dfg.bat"
1⤵
PID:5432

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfg.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4656

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dfg.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\dfg.bat"
1⤵
- Drops file in Windows directory
PID:5560

C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\reg.exe
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:5620

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" /v Win32 /t REG_SZ /d C:WindowsWin32.bat /f
2⤵
PID:3488

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:5812

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:3136

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f
2⤵
- Modifies registry key
PID:4964

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:856

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:2000

C:\Windows\explorer.exe
explorer
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3172

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\7-Zip\7z.dll
Filesize
1.2MB

MD5
29a34c57610eea82931e8e9b6ce2c8e7

SHA1
321040f01c5bd84e5e4fe3abbec972445b45e242

SHA256
e231abd80c42bcb64a10afe17d0b9814a7b6cfe014259a7f8182f2fcdcd980e1

SHA512
3018a6dc001696c59330dca6ef994b0c3c5fabbe63bbe5670ca344beca632c328ee227c2db7a9d1e5ff84c56d3f2a5716ebad8113a2648d2c5480a75e83d5ca8

Download Submit
C:\Program Files (x86)\7-Zip\7zFM.exe
Filesize
595KB

MD5
a4ea6bd8cd1266862e58572105f1615c

SHA1
d24df6d8734d2dff878b79226a46788422dfed03

SHA256
56332f59912d67d7b73765928aa02009a0be88b8db89287ad26c883265360544

SHA512
40ba9c4aeb74d11b555a82779f0130c576a7983ab7e402e25ee2feda1c4995751b13627adb07a9fe4bcf61cbf0fddf065702ace8743915efb3fe64d2ec8b9d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
207KB

MD5
8f5efe5cb743df3516869e6a10bb310b

SHA1
7c676565f684b409f99cf1331ccf8a31026aa705

SHA256
37082199edbaa1746690251de3779cb1261e9966102743e9721e5a9bef99b467

SHA512
902d9e12178f948bc389e1f3f86f64dbbe604d583498957be2816c942eadec87c35ee5bc0ab8d8fbfe681357f622e2a8fc0892e9c6ab324b19f3a416b4e36953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
69KB

MD5
12e9d433aa286aa9a60f779569cea593

SHA1
03a19dddc16fd6ddd3f6d447dc4735e02fa5a04a

SHA256
2a023b05903647e42c3d506a3b54712c9f17738acb72bd824423dba4d28bee23

SHA512
7932dcc399307524954ad278963b316b755d054782ee7fa35cbcfd07a05e9766e99ec9e90d2127e68766afe3d8c571f10813927e1be8d7831936237b1282d858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
42KB

MD5
80563705367e4b4082b4b80f8571a4cd

SHA1
72d730da1499b25b66bef22e3b823d9813082f1a

SHA256
3d258442f00d724408e414f42c74a8c512228ea9e33958e6a173686f117c2d4f

SHA512
76b2692b08e5a5ba4f044db528089b2e13478164f92cb7f1c500c2f2169a2671d791adfde8446c7f1b41017724e05d520a3f0d04c764d800af060885b32c48a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
19KB

MD5
635efe262aec3acfb8be08b7baf97a3d

SHA1
232b8fe0965aea5c65605b78c3ba286cefb2f43f

SHA256
8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06

SHA512
d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
1.2MB

MD5
eb63aad3cfbfc8e4570b89c9f2f651c7

SHA1
c4ae7ad4c021508f7721b16e82efd60826b1e96a

SHA256
dd2ae4d6b1cbf32b75433ea22afa1022f8aba05f521447bfd9b186694a022467

SHA512
df0ee255da8abac46386a70ae562d30d7e898bf7070e9082ded20546cac552ef951b77b5fb8b12f907828c65409f6450258791eaa1e0739c89810cfc3ad07db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
79a47a11206c64a8ad2954bae125c14e

SHA1
241d5c9c4e43eebcf241ccba0896d7891442c40e

SHA256
29c6b91f11c88c7c22fa582a69be93a36e441ce999d5463dd70221d91b78146b

SHA512
e0224a6d26f7061086ee198f5f1466f89f90d7846f6e257a244ec6e78dc6aa6fadd696e89b4235a33055fb544c2ffe40fa45913826071969ca332e3b039a0dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
67448b4aaa20525f25fff6b702e324f5

SHA1
14b6c1e2d008834fae03f681f60721b5b9f44d45

SHA256
ff67ab08b2e0211483edb47feb70fcc0de006f5911c0b0cc93969a324320847e

SHA512
209d74ba68c6d8d73eb59f0fdd92818db9401f2a48d4a910cdd620545ce72f6736ec83d40343adacb1a21776a456908609955a5ad6196f9066585eed03fc3842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
fad2ad0316b8145c7c1b1cb15ad6702c

SHA1
afba780cb74fb2567ab52d29aa4abe9e4c39e60e

SHA256
533c5046cdc1c12902c8b7deb79698b49c126b727dc6801a5d02991a61466714

SHA512
6dd0cf88d34485de520885661f56d851dbaef7a15417c6612fdd728090a687fbbef86239866e9841e7d74dfcdd93ab90c7f7ab9c01336f2dfb8f8a17bb7d6158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
1f574bcc35704ff2bf10071870c886f5

SHA1
fb3e30d3df7d59523166f652e583ccd6c7edfa71

SHA256
df0236a828e565a0f45f5e7f105ab9a6306b30e1e1afa0d258ad7211eea0c9ed

SHA512
174e4d9064b5a90cef6b25ccc6544e08f5fc492eeadd7fb9add89eac6456a08fe9e6da8dcc37f99644daa7a6d43a5ccebf76b618f8666fbf9fee357551cd82a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
36f848395512c0ba0c7bd1f55b4e7d7b

SHA1
a1e929b6c9772b885cf71d9b36aff906b085ce5d

SHA256
4b06dcf72d1ec03e642a5c9f268c11340710bb383e1cbedfda194eb0cbf50cd6

SHA512
10c075e28cb8b27e2b0057434e4ed847c541b435b3a9fcb968b6631c8e2b6ba30f655fcabd70defbd31dc545da34cc66d3cfc1ef896da48c67aab71ec78949b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a57da25443a9fe5b8eef2c85d84157d5

SHA1
7a13cd525c540b736a6c6608e1a62c8c0cbb80ad

SHA256
01798580ba6f13c05ff732fbc19ef96e77b374e8c99c29955408f24329a7b6c0

SHA512
01ec095283a64c07788efd3ac3c48cdcac74aa8b82a2c339e7215c568563d236a9f15fc2b781bef785c1360704c2e5d6dc74af62cddac3bc8339389a93893b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
89c36ae07d25320e137fd5dcdf80d609

SHA1
529f1b406421a47782889e169053af268e864dc1

SHA256
cbe2f8cdf94cc96701af0c0e918a49e37828b6fa49c3c72ad54e563604c15623

SHA512
234dbcd7c144c1f8ffdd05135c1f76f04265eb58c3b0e0e62ee34bffcacb0dd5fc27c36492cefa7083a9874a94972bcaa301972915c813ae53219937adb0a469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
082f997703ab3b4fde51aa55c67811d8

SHA1
ccc6a5d904bb0061755e8f4a2429ed198195cf15

SHA256
d6691ac5384c099ad6bab513cf6a47896a8ef16c1c5017ceaf0834d896931468

SHA512
8cda22ea3d81e38642336f867f412915a33184ff25c8ce318a02596ced9553a9826c25e83163b7f4fb565a6c32b94773531ea5ee75cc48f73797be4940e08dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
0ee44a6c8fea7c7f7b039d022ed6f0ae

SHA1
114d41d940e5c96194fcaa3412c43ddc38acde91

SHA256
7d01d2bb6279b35241f048f302837e1d959c087d9bd25ff1b41070013d868859

SHA512
ddf906bf955fb4fbf8571c4c0898e4a851792bebb359f34edbd7b65774868ae310ae87b28c5e9d15e8b0e563259d03cebfc4aa0091e4ab71d13ee41046cd83a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
1950c36a80cfd623ec112ef19a3de296

SHA1
60d9cb96b8477cded7ffb3964919ea21e05cd840

SHA256
34f44f98485ed5a802a87e59f8d37928743d379901d1d37ec65e3a111d16123f

SHA512
1834bfc799ed1506bdb59d8777cfa25dc16502e9f16420e128a6e997bda626a72391ebd863c85b14ec68a24a27fb80348de594c725bf63ac614a278ede3acdf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bc4f4e2d6d828ebb97577875cde9dabd

SHA1
1f4a999b78c6c733f26c74d13af925346ab45a11

SHA256
2e2bfca0be114602b2cb286fe956d853272ca0660ea894f640bbc49d05be2d9e

SHA512
b1cb6944d93f45f3eb19b10e16b99274097892709a94fe53b426f98665998e6306980754484a218cfde768d57b75946accb102336d317b9786933288c3634d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
50e202f072cc81dfcc076a44bcfda6b3

SHA1
e0c4732a8fd57e35c994b21d745032dadba5b336

SHA256
b6baf0cb095d7042949ea6c865f1f4918401431eae83370ef71206255b3800e2

SHA512
337b27c8b3d2f16539e2d002a88dc6bff4e7d5a2c468f6b7af6e4fd0da98a6dc508e2af73b12d593281afa97f6d39d30617143aa6294d5b2fe1a66e152286437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
2573ef24fb755bdf22c4c1dd4b612ceb

SHA1
5fac48224997e025305438c530484909c27e0f3b

SHA256
5c9e7e7b0a9dc24bf54f0971aff89442ec26d12426017e9fab1d1ece69a1993d

SHA512
0017a259b81f8fb8f00291d1df892eaf120501a65a58f219833a96fdf00a4301112cf4fd593ade9c64f72033d93d8dd491c116f62d4690b69cf5750cc4d70c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
0d3088e6e187c6942771d46f661863fc

SHA1
abd10ef6b9a2827a3d8589d87acc72ad947481c7

SHA256
924abe737892a3ed762d9dd0465e21df9fce4caeb5b1cd9988e9fc5ebde95f48

SHA512
a07d196581ad1631707f91f823d45ec58eacafc307222872d202167760d3ac6291e2c2b0887e2d3eb0b890206deb3e07c218c0ce60601e30884753664b019b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
9ccc488780e4af3fe81e2804e7e4e546

SHA1
ea24c8dcc28d5df56b50d56a267842d7bed8f524

SHA256
1dd5ba3245d2931f4e4cae322cda1dcdfb43d2dbf03dc75ed1a803c99b57cad4

SHA512
a5135ac004219085ec3a9f777db236cf4e7a48d1bb7656e78b4c6c26470c76d7accf583c420f43959c7ced4776707cf3cc1afb4f22c71f27e3b8b9437c68f607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
360cb373fec6cfb59d279a6286ec7d98

SHA1
119a9e5b04cfd9acab0298ad30671aecbdcb10da

SHA256
8bffdf99f1dd1bdd3103b06900535f28c44cfb41bbfc3e850ec4a8b20d83d687

SHA512
4365e9c7b1632eea439235e2838d386767ceac9e2f7cc62dcf3c6c7069e521c67cc0a81101dc3503c641e57b4844a66c6c683aaa1b7f4c33f7d7b27842606b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579088.TMP
Filesize
48B

MD5
2f5c12f5a9c23aad6c7c004da0b2320d

SHA1
d6ec2a87286ba45c204d41ccff663b7a3e0778f4

SHA256
dbc4a78c7e258d50b96c7e3c3320ad8ce5433b9b44592856751c8ec6db0ff222

SHA512
cc4c3691989c802edb73705876bbb7a9899ecc1c662fbe2686dae692097258da09dd93683ff0aae5ffb50941ace2f90c065997e347f9b4a6a05da35455ad48d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5ed094bb471741471446bde3e0ab5997

SHA1
cec2d261fc7524bc1a077f5c6cf8def72bca1e3c

SHA256
eaf0612e53b91868d1449b0f16bb64239da87155d45378750b2b7fb752049f53

SHA512
91dcc02b0462367e14b0e1466764d9e9c7a27459b17bb8fc5989dba3c676d4c4f81682c2a6b88d8b37f512a4d98fc57c113f25e0a4f237765d96c7b985a220a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
22a31eb2e0c0ffc3a699734fcef814c9

SHA1
bdf389eb11aee4bdbb59f591e44077f531ddb31e

SHA256
ad24b4346c5975701b8c354139c81f6ebcefa37f5c1f4807d4af25faa664a351

SHA512
6c38cfdec981462664291f628e16dcd31e01889862e38c50e9daea0607fa9f0f8f5683d59ae4927538ce9f4a98ed234e9339eecf676f1b10294b3636d125f884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c82122d8198c6b40a2913fa65088737c

SHA1
3832af83f3b2aa9e9e1eb8af235b6c79fbc29851

SHA256
9a6c1c3331d0b780b8727dae0bec7229dff993cef47b70967d6757000e19a057

SHA512
058d8694c41f02d43aa86af622582f780272bcc91ba50cd296cf656a2ff7f3bc0b1f74d11887883aaff8858a26230e732f9cb242c038a89da82f49f443b6ccb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f38ea6421a144b77503ce98707c49b03

SHA1
740f7456f5de639e9e40f31c43bf44f17113ce57

SHA256
c25fa33ddaf7f0c6ffd9e37d438aa1e6b55bb32e61f7ede31912f20604a89443

SHA512
9e28482a06fd7ec1a069e26d00812aa909be15a025910e9ac0efdddcf38f9d8634a34c63aad3b62a454043e80c961e5b08a4c1f5df8bf7212eb5328c45e25233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bce7.TMP
Filesize
540B

MD5
eae2dd6fa28f65932be5fdd501d08ef6

SHA1
649bfbcf44f63fb72f1467eaa92128ca4a39affe

SHA256
a317e94a8c9b75b4c2f29185285134bc18d3e79f9d3cd1dad2ee2f3276ffe939

SHA512
81d3c81de8a07b5d0f67bbe970203dd5eeb5dfb39b8757b4d3aa1bdcc0fdb64531b6715bb353544593d099332a1bcd78a05971954270e7e93dc7a0b98dc1a0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ba9628e5785fe9eb85a34c9b0db632b2

SHA1
1e566c3b76aed5ee6d25d73772a99583fa8a31f0

SHA256
6f029a61019037b2330055bccb65cd055b66e3ae271eadaee698a629ca3980c7

SHA512
7604655c9d155879ac4a3c5a23cc2cee965bd967a987409edbd041980e083969987cc6566f5a288dbf74934af9eed9b34ae9d6517d59244dcaacf85d146aeeda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b254b1721100ac1ef1bb4562e7dac864

SHA1
91f6930e997586aecd32428ebdb4aeb48b559e98

SHA256
4bd32b3ce0fbe09d53502788b798b616cc1ce1d4cccf7b7d2ba35037070c675f

SHA512
0d78edd7a0ed6f9b60a3ae82cb0e845a420dc6342c3d28e500835b9b525551319b517bc19a6c7339d54429624da09312e189d4ad1c2731a003bfbc4b0d4cd8d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d70399a5513f69edcc7aff16f40c13cc

SHA1
c37812a16b3ac7facfdf9e3c59625ae835ff2370

SHA256
ebad3c8772711d4c38a2e5f1cdabbe359dcd517f34aa028bf59d6cad5eb5cbf9

SHA512
5dbbd0411c989e6321a245925ccd8f36071db588bfe5ef8340cf4f8674e2e752797cbe629437e24c05e249248017a6239e3d981b9036c12e5fc9890841fa8610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
15a078abff03b07d885515d354a50775

SHA1
ba4f47f65b8464c2e77dcf962cc779730502f7af

SHA256
2f84f5cf21e462f688e06a55aeb889ee2cb1cae0b778836883064ebf6846b2b1

SHA512
7dacbeb8c267b7bc3d2779730f8b60a5554c2bb0f208ee2545785367482100f9f39a50576b2753e72a0d87058d2b2e595f093e70d52707b52cfdd49832aa69b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9eb9bbc6e180879756ac25c6c4fc40ce

SHA1
82bcfbd08f2f8700070d5bbd617952c0de3304f9

SHA256
5d437942dfdd7581de65d9710cbcb1e3ba39a5eed00d9f79b54c6bc18894b649

SHA512
826bfa5a9e0d85f8c54f0449773fb8b618913a31956bf71088463ebe2b0a60a4e7de9af52e59e879a39093fcc05600338ac119e24112f1524ba72728b4d69144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b12e1d665e42a6d1306d35fa2d27b068

SHA1
267c0cfeef7cd120733f44c6a754b33468cd531a

SHA256
dff012abb9ae4177f1fd0fceb09b727b40b277651a00b31b2b088196345852df

SHA512
df4e195df036bc713209167efbf4a0a5e1f896465342ae487c5b62eebdd6f2bef452cb0787a5e1b1d481274586ccbbfca7df2320f0bc27a74c07324bc10365b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZD788ZAR\microsoft.windows[1].xml
Filesize
96B

MD5
fb128dd23be90403a359178e993c9d0f

SHA1
26fd6915e3556d4cd004f62d06fbca7926807544

SHA256
8da3b3625b4cd2b5eb982bb67a9478c68e411b45c46fb8548a62855069fc1c34

SHA512
7fe9d62e3ce2cc4818e8b16323bf94e1d31b2a492fe5afbc16ac4cb806fcf8449d63e5f5d40fae431fa91d28cf532ccbc74bc5af2fa18b6ee5ebf8c6399febdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8118C8A9\BvG.exe
Filesize
1.4MB

MD5
9a93ad48c4d58c0c43a032f85b0b112d

SHA1
fbf8cae8642082c39a414da604cc9e9bb88f315c

SHA256
938e503ffe8a9614a60068fa1c966d6ea7f9b75d28c6b6ccefc7f47503f82e42

SHA512
38207b60140880e68222fe9cc628c9b776c4d59accebe78f4051a0bebc03f5a1411497664faeed3865af04d63acef1c96752a7c30dc156e968f37ff4c708812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDD1.tmp\btec.bat
Filesize
9B

MD5
b0001c00a961b45a4d467ff7b0db34f9

SHA1
93bb6b09c9007ac568b39a77f4aa10d5dfc59fb9

SHA256
abb30b0a70e39de39ce0790c6c157fd04bcfb998705ec1672fe8070ff2d34573

SHA512
3930bbe5b8936800736cb965e98f54eaf1e18218e865441f2ceff9002b23210c35867acef6a97f7491765701cede7ef82182410931cecd83fa5d7b121918c500

Download Submit
C:\Users\Admin\Desktop\000.exe
Filesize
45KB

MD5
5136890a4227180370a27597403b94ba

SHA1
d3dfec71fcb480b2531d9e7440e85e58ca325e5a

SHA256
7df185a50a3eac1d4f3d7e6dd45dad3752a13f190503b0a03b9a5e8ebea247b0

SHA512
b3c53e5a66f6e450d91fca2c01c421f12f11b739cd4500ecc27e2788a0a24d2a533776230caeb00d15a24c5994f667e7e96b2b9bb6324d97bae556fdc366753f

Download Submit
C:\Users\Admin\Downloads\2_BvG.rar
Filesize
1.3MB

MD5
630d1d0d0dc3e83894066c0b054ad8e3

SHA1
1c1c6a7bf0b2417f8cb4cf557cab379e53179dd6

SHA256
733ed3d64021c1de9d376e9f1d95d05ba9626ee04bbe89e42f021825ce7b8a7c

SHA512
94861f8cc2493befbce247fa2750f1811316b521efa80d4d7af7a6745ab4bc2a1f27718f7c0faed213c9824935790b68efae208ea6e87dde5b85209efb7fb281

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 195178.crdownload
Filesize
1.3MB

MD5
8515170956d36ef9da3082a7c22e8213

SHA1
66c835bdf217d1ceb2d73f7b8b27d7ccca212b38

SHA256
1ea62e6b152e4b7dbadf45289e04bf4ea7431c7928a9b3c6ba5e4c06fe368085

SHA512
d462bed332c2e60d3815d6542013d56c58ffbf063aafe4f255dbe83b6e48e2b2f29b0063febd6c04a7e6721e149c727a3c2e8e0704807e2ce4c5bf98e5dbd423

Download Submit
C:\Users\Admin\Downloads\peazip_portable-9.8.0.WINDOWS.zip
Filesize
12.4MB

MD5
41fb45d3b775e2e6bd3ef3a039004609

SHA1
58e2d2f63d23f2c3ccbaee3c78ae305dbb9e32e0

SHA256
73ac51b9e0be88498cbb3e7bf1fb5e237413ffa87f09c2cdd6a899bf84d1d0ed

SHA512
7ca293fd0658b88b9c838b782a5d15d2307d2a88f11c33dafa30bc89517df9653b05577232a2df15382cab53ff6a5360c92d0200a2a3ce47eaa2a7bdb5d024c7

Download Submit
\??\pipe\LOCAL\crashpad_4956_SUGPIHKBVBTEYMWK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1560-1176-0x000001B5015F0000-0x000001B501610000-memory.dmp

Filesize
128KB

Download
memory/1560-1151-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmp

Filesize
1024KB

Download
memory/1560-1292-0x000001ACFE400000-0x000001ACFFD2F000-memory.dmp

Filesize
25.2MB

Download
memory/1560-1164-0x000001B500FE0000-0x000001B501000000-memory.dmp

Filesize
128KB

Download
memory/1560-1150-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmp

Filesize
1024KB

Download
memory/1560-1149-0x000001B4FFEC0000-0x000001B4FFFC0000-memory.dmp

Filesize
1024KB

Download
memory/1560-1154-0x000001B501220000-0x000001B501240000-memory.dmp

Filesize
128KB

Download
memory/1708-1438-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3332-1293-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1097-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1117-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1119-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1133-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1134-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1137-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1139-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1144-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/3332-1116-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/4172-1147-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/5044-1297-0x0000021230070000-0x0000021230170000-memory.dmp

Filesize
1024KB

Download
memory/5044-1302-0x00000212311D0000-0x00000212311F0000-memory.dmp

Filesize
128KB

Download
memory/5044-1436-0x0000020A2E600000-0x0000020A2FF2F000-memory.dmp

Filesize
25.2MB

Download
memory/5044-1306-0x0000021231190000-0x00000212311B0000-memory.dmp

Filesize
128KB

Download
memory/5044-1307-0x00000212317A0000-0x00000212317C0000-memory.dmp

Filesize
128KB

Download
memory/5200-999-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-998-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1001-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1000-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1067-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1087-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1077-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-1014-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5200-988-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/5716-1295-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download