Overview

overview

10

Static

static

10

Runtime Broker.exe

windows7-x64

10

Runtime Broker.exe

windows10-2004-x64

10

Resubmissions

23/06/2024, 11:45

240623-nwp5hstaqp 10

22/06/2024, 22:40

240622-2lpb5axgle 10

22/06/2024, 22:29

240622-2epz3sxdmh 10

22/06/2024, 22:12

240622-14q31awgnf 10

22/06/2024, 22:02

240622-1x59cawdqf 10

22/06/2024, 22:00

240622-1wyg4swdlc 10

Analysis

  • max time kernel
    393s
  • max time network
    397s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/06/2024, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Runtime Broker.exe

  • Size

    72KB

  • MD5

    89af2aaffc3ddda07a0fc977c8bb2236

  • SHA1

    412bd5812599d5729a51d0350df48030b0d04e1a

  • SHA256

    637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

  • SHA512

    8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

  • SSDEEP

    1536:b0nLpERHZ5P56srqpbTXw3cYUo6IfI4WOyL6KqGi:bcY7P56tbTXb6IvOyyGi

Score
10/10
stormkittyxwormevasionexecutionpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

medical-m.gl.at.ply.gg:28857

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Runtime Broker.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 17 IoCs
  • Enumerates connected drives 3 TTPs 9 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • UAC bypass
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4812
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\system32\netsh.exe
        netsh wlan show profiles
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:1356
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" qc windefend
      2⤵
      • Launches sc.exe
      PID:1832
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
      2⤵
        PID:2384
      • C:\Windows\system32\whoami.exe
        "C:\Windows\system32\whoami.exe" /groups
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5044
      • C:\Windows\system32\net1.exe
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        2⤵
          PID:1852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
          2⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe5bcf46f8,0x7ffe5bcf4708,0x7ffe5bcf4718
            3⤵
              PID:3104
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
              3⤵
                PID:3936
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
                3⤵
                  PID:4872
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                  3⤵
                    PID:2620
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
                    3⤵
                      PID:392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                      3⤵
                        PID:1544
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                        3⤵
                          PID:1524
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                          3⤵
                            PID:4140
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                            3⤵
                              PID:1936
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                              3⤵
                                PID:3420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14956764290399572045,10655892925360369595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
                                3⤵
                                  PID:4720
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0x0g3t2j\0x0g3t2j.cmdline"
                                2⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:1636
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF07C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AAD7C5BCCD9460E8E7B3A895288D227.TMP"
                                  3⤵
                                    PID:2388
                                • C:\Windows\SYSTEM32\taskkill.exe
                                  taskkill /F /IM explorer.exe
                                  2⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2640
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe"
                                  2⤵
                                  • Boot or Logon Autostart Execution: Active Setup
                                  • Enumerates connected drives
                                  • Checks SCSI registry key(s)
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:2244
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe"
                                  2⤵
                                    PID:5088
                                  • C:\Windows\System32\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
                                    2⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:3560
                                  • C:\Windows\System32\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
                                    2⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:1124
                                • C:\ProgramData\Runtime Broker.exe
                                  "C:\ProgramData\Runtime Broker.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3336
                                • C:\Windows\system32\wbem\WmiApSrv.exe
                                  C:\Windows\system32\wbem\WmiApSrv.exe
                                  1⤵
                                    PID:3644
                                  • C:\Windows\servicing\TrustedInstaller.exe
                                    C:\Windows\servicing\TrustedInstaller.exe
                                    1⤵
                                      PID:2372
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
                                        2⤵
                                        • Modifies Windows Defender Real-time Protection settings
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4776
                                        • C:\Windows\system32\sc.exe
                                          "C:\Windows\system32\sc.exe" qc windefend
                                          3⤵
                                          • Launches sc.exe
                                          PID:4372
                                        • C:\Windows\system32\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                                          3⤵
                                            PID:4872
                                          • C:\Windows\system32\whoami.exe
                                            "C:\Windows\system32\whoami.exe" /groups
                                            3⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3344
                                          • C:\Windows\system32\net1.exe
                                            "C:\Windows\system32\net1.exe" stop windefend
                                            3⤵
                                              PID:4100
                                            • C:\Windows\system32\sc.exe
                                              "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
                                              3⤵
                                              • Launches sc.exe
                                              PID:1444
                                        • C:\ProgramData\Runtime Broker.exe
                                          "C:\ProgramData\Runtime Broker.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1356
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1876
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:3360
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4a8
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1144
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3624
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                              1⤵
                                                PID:1688
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Enumerates connected drives
                                                • Checks SCSI registry key(s)
                                                • Modifies registry class
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:4148
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4384
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Enumerates connected drives
                                                • Checks SCSI registry key(s)
                                                • Modifies registry class
                                                • Suspicious use of SendNotifyMessage
                                                PID:4868
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4176
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                • Modifies Internet Explorer settings
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:692
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                1⤵
                                                • Drops file in Windows directory
                                                PID:3184
                                                • C:\ProgramData\Runtime Broker.exe
                                                  "C:\ProgramData\Runtime Broker.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:452
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Enumerates connected drives
                                                • Checks SCSI registry key(s)
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4756
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1160
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                • Modifies Internet Explorer settings
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4508

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Command and Scripting Interpreter

                                              1
                                              T1059

                                              PowerShell

                                              1
                                              T1059.001

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Scripting

                                              1
                                              T1064

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Active Setup

                                              1
                                              T1547.014

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Create or Modify System Process

                                              2
                                              T1543

                                              Windows Service

                                              2
                                              T1543.003

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Active Setup

                                              1
                                              T1547.014

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Create or Modify System Process

                                              2
                                              T1543

                                              Windows Service

                                              2
                                              T1543.003

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Impair Defenses

                                              3
                                              T1562

                                              Disable or Modify System Firewall

                                              1
                                              T1562.004

                                              Disable or Modify Tools

                                              2
                                              T1562.001

                                              Modify Registry

                                              7
                                              T1112

                                              Scripting

                                              1
                                              T1064

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Peripheral Device Discovery

                                              2
                                              T1120

                                              Query Registry

                                              5
                                              T1012

                                              System Information Discovery

                                              5
                                              T1082

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Command and Control

                                              Exfiltration

                                              Impact

                                              Defacement

                                              1
                                              T1491

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\ProgramData\Runtime Broker.exe
                                                Filesize

                                                72KB

                                                MD5

                                                89af2aaffc3ddda07a0fc977c8bb2236

                                                SHA1

                                                412bd5812599d5729a51d0350df48030b0d04e1a

                                                SHA256

                                                637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

                                                SHA512

                                                8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\BLOCKDISABLE.DWG
                                                Filesize

                                                952KB

                                                MD5

                                                d7761ef10c2b95c5fb5b55006607a812

                                                SHA1

                                                d1b35e2a72f01afea9c7cd5e461eb51d43c10e4b

                                                SHA256

                                                52880ca753cb989436502cbaa7b24643559eaf56763b9d3f0c61930d3f36ecf4

                                                SHA512

                                                76ffdc25c3c5f7f867606acf6db40ad3d5ef412fcc6091a6973b01c5d4b532a344c2eac66d924bb81f33526255e3761f7ea67d62c5043e58778e6790bc47fd13

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\CONVERTCLEAR.3GPP
                                                Filesize

                                                761KB

                                                MD5

                                                9a7c4e32329a9fefd053b2a3c6de8e8a

                                                SHA1

                                                f9359919c7d8fd75a7bb6f5bb7f6e09ed4602c84

                                                SHA256

                                                5f935eabffea0c8f1f6d424fd76af27015d53a237e3476f305768c1511bf7bcc

                                                SHA512

                                                fce788d6cd6b949025c5bd3eaeb8b88a3b063ebf338efce60fd3615c10656038a37af835b55040273ea40172ae9c38c02c142e2e093ae16aaf040b4d75381256

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\EDITRESIZE.PNG
                                                Filesize

                                                609KB

                                                MD5

                                                7061f56e98678acd1b98f511fff45243

                                                SHA1

                                                f22b01b0afc99bbaabc23a96f293e079a9b78a96

                                                SHA256

                                                23685c25dce67ba796840705d1e36fd9fd8a5eda9e456057304747b9a74a978e

                                                SHA512

                                                9ac9f5cdd28fed388798c753353021a3279c66945a1083ad5564a1b65166263a925ae60c239c635294262c58eff0ea46a4cbdb0391297a3df365f00125cd44dc

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\GROUPCHECKPOINT.EPS
                                                Filesize

                                                1.0MB

                                                MD5

                                                accf8cd319de97fbe2268ba936d59a23

                                                SHA1

                                                73b3a1cc6b3f27755f83e4f2cc320629fab3ae1e

                                                SHA256

                                                9ed6219ec14263dd63ec77a06eaeafbd0bad682a4d10e1cd72428393daea5d6a

                                                SHA512

                                                acf2f4d8df0ab122b09f1ce5e73a604f1da5603bf336327b8b84c80a9245289630fcaa14e435438ee4ce34a7e2f1ece45eeb75849d8625dc5663c1254be9fa2e

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\INITIALIZERESET.INF
                                                Filesize

                                                875KB

                                                MD5

                                                1fc3ba768dba25886729869244f0b98a

                                                SHA1

                                                d545339b5568af3b8beb9323355682a4e259fd40

                                                SHA256

                                                cb9d09a51f193703b3350171139f9434c0fe221c58831831aee66f568b84cca7

                                                SHA512

                                                3682dab79949771c872d1cd9ca44d04fa62d51206e978941cbbffd0991b00448ab4d77872c1fb68bb2931dc222717824f7adca09ddcf72b13eb6ba9ae2d104a3

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\OPENCLEAR.DXF
                                                Filesize

                                                685KB

                                                MD5

                                                b01563b8243edb6d0d42283dd8730a24

                                                SHA1

                                                0bb0135cfecbe8a2ed09727512cc2e657a4db380

                                                SHA256

                                                86689c45e4618a68a950ec7d2c1ef2374ad255c1cfa2c1c02518c7c8d0ee8cff

                                                SHA512

                                                cae0a86074c9acf9693627566d29ab55b85de05746507fc7e94c15747acee6db3d1e7e9cf85afa5dbb09af32a86de88f0dbee2041104d5dd40450d610f6bfdc1

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\OPENSTART.M3U
                                                Filesize

                                                837KB

                                                MD5

                                                560bc8ad06fbd68839e38a2fcce12a4d

                                                SHA1

                                                ae0bc148a493a0ad0a8893c58db1cbd5b01c4d6f

                                                SHA256

                                                774ccd3dd7d19d6d381908d1fd09ba78ef5486f3e2ccd1a10daa84f68d9e3ba0

                                                SHA512

                                                31e75a12814c6513a9f6d05c372e008f4786df52bf55cac714d8c114d5e107064dd432b197e7273fa105c93c0b9650c3c4b598e100ec85f1f22a5fa397b908cb

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\REPAIRMEASURE.MOV
                                                Filesize

                                                647KB

                                                MD5

                                                79196164311097309416ee2ec2dbe9e7

                                                SHA1

                                                a377ac3780053c4751a4dee13f0ce07c9fd5d95c

                                                SHA256

                                                a6f6780fee548cd0aa8962d7f6bdeaf09bfc81d6a3643c21aa00042a7822b0e6

                                                SHA512

                                                47ad878af93c8c24b036e9fb02a18e2acb63284f4cc55e16d6f1976935329e5c409c69f9a8a18d6b3bb05cbef4014a17866c551f4d91e0ad19d10d7f72768244

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\REQUESTINITIALIZE.VST
                                                Filesize

                                                571KB

                                                MD5

                                                7c5bbbff3fcb14a8b1c98d1a17be0493

                                                SHA1

                                                b72c4b0675b78786e82372aa604992cddde78dd7

                                                SHA256

                                                9a0923eebccb12af6386a060fee91b3f5ebd0a6a638188333a05b25ed7181505

                                                SHA512

                                                6e188e355603a637885746c28a3e78ea5ea41eef65b308aae3fa7a6d650ece79f180407de82a316fa265c340d0dbe7879a137110e327518a750a8c87c45ef5e7

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\RESETREDO.TEMP
                                                Filesize

                                                990KB

                                                MD5

                                                1eee650871b05b7f65c2a1d0247160d4

                                                SHA1

                                                1c037e433ddd2d36e4a25a21a5fec2a2b662dd0c

                                                SHA256

                                                a2e152523b3cddea0cb0e8e290fa4d3c49c999a49f4daab19d344651f22f0ad5

                                                SHA512

                                                981cd1de049b64878e1ecce7a6b880985e259e39c068cb5c4cfc8c68ae230c45686fec1b50775c3c366b0eac7effce24a6fb1b1b5fa14ad617c6d16aabf5a928

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\RESTARTSTOP.SVGZ
                                                Filesize

                                                418KB

                                                MD5

                                                712e7b4a24a70ba0ff8fa80124ccfc3f

                                                SHA1

                                                bb864ba142419611520ee0ffc3e9d4a70301581c

                                                SHA256

                                                64ddc6c911c2f722d3239ad0d35f26d6c740de5193fe8fc1c3af6f242739c755

                                                SHA512

                                                e08ae912a54711f3dfaae105ab1c890e3077b4d77ec3f827710e19d2978ac9fbb65a8edf7868312ff562f003a77f31da252a8b60f948f41f44fa230141e07b80

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\RESUMETRACE.PPSM
                                                Filesize

                                                723KB

                                                MD5

                                                bcc58e1e45376305ac0b29dbcffcd7ce

                                                SHA1

                                                b39ab7134d04b5071accb642615d78473e7535cf

                                                SHA256

                                                474382775e5b478c855c399fa0286c565e8b15de842dfe8ad55c9f83faa6ea06

                                                SHA512

                                                fc2774e9fd66bc07ce9d93f2c0a887404693cfcb3fbd4a62a5f0ed43f5a619a3bc682fae7766fe2cf972a4556c4859c1136f567a530a39e457a5f02d32aab91c

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\RESUMEUNINSTALL.MPEG2
                                                Filesize

                                                533KB

                                                MD5

                                                cc4f6c8d0af234127e7b269b2b436fc5

                                                SHA1

                                                bba2a136ca2c93be3a477c1edb78fa3b534d3c23

                                                SHA256

                                                2fceaacad5cbd5b810eb0ee8e9a13cf8876c6f1036704df2a79a6a98c983e554

                                                SHA512

                                                a7d356d4e40df969609fe5a65593535d914f6467dae5be628e620f6369d86629195a5e7f0e400561431685c05f451c25fe613ed3633eeaef9f4220024698a921

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\SENDCOMPLETE.XPS
                                                Filesize

                                                1.2MB

                                                MD5

                                                52755acb7842d3f8c8c2725932d90550

                                                SHA1

                                                322dd9ca77b1b01af5ef65519b2b1a31010c65a8

                                                SHA256

                                                c9b05ac791979ddbd5c1fd7ae2b025300911aa550da343da79d7a89a6a17752f

                                                SHA512

                                                f8a8a3da7c320db159fc0d58d5b97b2bf5dd7c6d5f9b67ecdd3bb55e9a465001132bce1bac980015d4f62a3f6ca265a340801e33b4e914ba36c5e4bb72e5cc88

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\STEPCLEAR.WPL
                                                Filesize

                                                1.1MB

                                                MD5

                                                5cdc1969b61e6dad5d87f542bbb645dd

                                                SHA1

                                                9c8ad317185c0a1904972904a7469c89d4cb8cc4

                                                SHA256

                                                088e636101b7a25502918c0d8e9dcb90d4263969747f128a684f805014801980

                                                SHA512

                                                d8fb66309a684c0bcda546a88efb091df88b40e07d35ed1ded0270dbc1f97181ef63e273b3d25f5c6c4e4b84f443c3fa2e5db07c1e8171837ad3fbb47bcf6fdd

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\SWITCHCHECKPOINT.DIB
                                                Filesize

                                                1.6MB

                                                MD5

                                                d509eb2576c4bc2740ac7996b2f87094

                                                SHA1

                                                a668329656998ee91e9cb59b099a9b9edaf9384b

                                                SHA256

                                                256625fe2484369a7b77394b2ba3196df9e3e2cf1ab5de059caf2e972a2ebc95

                                                SHA512

                                                a446b37d27955786959b572d19df2b5915b6879cb32eb9b2fa062626c7c609620f1bc118a07bf68c12804b61e70714f7dd5a0961a98c2bd32f66904afb45be49

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\SYNCHIDE.XHT
                                                Filesize

                                                1.1MB

                                                MD5

                                                3e3e5fffb66cffcb291af44f6c7983a2

                                                SHA1

                                                e5bc7b061c75dda505ec210776a3606cab698656

                                                SHA256

                                                8958fae77ee3aab95b8b28a85595b589c4c0f0c55d6cadc434e5696b047004ae

                                                SHA512

                                                8dc6edcac8229d0a3c2ed2c81b979996e727f7d838b222fff4def30baa298ca77bc7de28f82219a3df73b4c692f0178e1d2f918e13218420a7b35b3b2b70ab4d

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\SYNCRESUME.XLSB
                                                Filesize

                                                1.0MB

                                                MD5

                                                e2e321e44829b099048de4649c11e80c

                                                SHA1

                                                65ac0b60cfa08dc7d2104a1c9dbc4926f29dfd3a

                                                SHA256

                                                27b43f30de5b91190057b8ac5d003408a6daeb32844794230a320ee50e5c9139

                                                SHA512

                                                ec5fff61d33b28f2238ef3a4d536c18fe6d8b692e0a1c4a137410606e040ea67c0003718acbe1b38c0bbd7341cf2cfa918f86a910f4c2dab31077fe2fc93d4fd

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\TESTINVOKE.3GPP
                                                Filesize

                                                913KB

                                                MD5

                                                c5afe390532288dfb76113eeeb4dc940

                                                SHA1

                                                89786f2fb4823392355248474b17393375304296

                                                SHA256

                                                7398ee6cf8a76e528396a61408eca0057ef8fb9acc769efe25b9756235171005

                                                SHA512

                                                c9efd040d364cdfdab694ff950afae79415bc6825b0be71ef3a407bf155848156704e4af68ffb62383de7166fc4e2087d8335b7e8763694730f6aa85fdf4e7a4

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\UNDOREGISTER.MHTML
                                                Filesize

                                                799KB

                                                MD5

                                                47c00e6838d6c34c14f18b0dfbf5a116

                                                SHA1

                                                09ca0dc04e28250ef1d79f74e47605c90027523f

                                                SHA256

                                                0a410d2e692523548b0919b2def85a9c5c936c1025cb3f75dabefaa18bafa758

                                                SHA512

                                                792e38235ec323fda814d23e976400c35babb9bd53a8ba0422e8e56e43d1e898f8c14359a0980766fbbc5e2b3acbfc7b2c4e67320cda6f14b33c22efb07cc0f6

                                                Download Submit

                                              • C:\USERS\ADMIN\DESKTOP\UNPROTECTRESOLVE.MPEG
                                                Filesize

                                                495KB

                                                MD5

                                                9f13c19377e4bbaac2f662a4f40463ce

                                                SHA1

                                                1686d8d9687df228c4a82953967bb7ebdafe835d

                                                SHA256

                                                95f9e9284b94d0507f197ba5fd4c0cb40105dc471829afad9c56a68eb567e5f8

                                                SHA512

                                                5c6310102db496477ebbb9932204d1e6e3d9fcf131c94eb2aca39c17088f90f900ff749c4604ddc225d73f548b35a386bebf7e2a98a9bdcb481c40a8471ee83b

                                                Download Submit

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                Filesize

                                                471B

                                                MD5

                                                f40b4e4692f6a96423dafcbf5ff89e6f

                                                SHA1

                                                9e5cc9c388de3212d974bf7a0106126cf38c89c1

                                                SHA256

                                                378cdb654afeba1c790fab544a148bd30d4317e68e1b9cf8d73a001eedae2ed5

                                                SHA512

                                                de91b6397e9bd5f756fc6641ffa04c58c099db030ecc7d6990521542c8b92bc0c6fee71ba351a0ac2efd9aae1f0ee2353dcc32032fa819fd529f7e36795faa4d

                                                Download Submit

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                Filesize

                                                420B

                                                MD5

                                                82b766188928627205592020a88caa69

                                                SHA1

                                                f99433a473ac485f1800aa91aa32fdc214fe9a8e

                                                SHA256

                                                583ba752f7753920dff09f9afdf64ce08dd7be1b3c8dc82cdec1512f5083f4f3

                                                SHA512

                                                e76cfac8a5da817fe8a5775620bde11362b290a40952c2337de05c9f2beed1f1194dc4e198c6ed4ab92814dc8a8b094f3b64b07c39406ec178b2bc73c616fb1a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
                                                Filesize

                                                654B

                                                MD5

                                                2ff39f6c7249774be85fd60a8f9a245e

                                                SHA1

                                                684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                SHA256

                                                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                SHA512

                                                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                56067634f68231081c4bd5bdbfcc202f

                                                SHA1

                                                5582776da6ffc75bb0973840fc3d15598bc09eb1

                                                SHA256

                                                8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

                                                SHA512

                                                c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                81e892ca5c5683efdf9135fe0f2adb15

                                                SHA1

                                                39159b30226d98a465ece1da28dc87088b20ecad

                                                SHA256

                                                830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

                                                SHA512

                                                c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                565a6e34e207c409b2fa388a11a68edf

                                                SHA1

                                                afa9c39e12e193c233d0b2a58f20ea751c94734a

                                                SHA256

                                                53d7b09e007c9dac22de9fc32664e8e2eb5c80defe6f647ee70ed48f492bb008

                                                SHA512

                                                467c105096935b0cc1b665cdb6a4e3959f292a966908a83dcd2d5b4869f8974cd52787d865930c5d56f82459552bbcadba3971722076faea93766b392c448a34

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                a41ced281f4b715f2eb1d0bff32cc1fc

                                                SHA1

                                                ccf74d13380a86ab37c595d60b6f1eeb6d83bc8c

                                                SHA256

                                                86d8e31e3d20703d1f512527c42e6231d75ff52337d93bb8f850cf825c1155a7

                                                SHA512

                                                346398b7890829bbaabb84d29b9af2ab17c4d84f2112949fc233ce4a1c684008e0a0e53c6003e9dd4c423571b31b6ecce9bdff55eab6df73b84a397f9886608c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                6a0f552efb6230434be37e5ddd34bd21

                                                SHA1

                                                243e4ffe93c126e160ef8081b3ab8d5ba1f1a31f

                                                SHA256

                                                2ad6828df55cb6912f7f1790096c4da1010408d1661833323f7dadac049e9e8e

                                                SHA512

                                                5ea1a2dc44c8837d0fcf54b455c81aaa3531f9f637814fb5d1eadadbd671a27b6cc2de905f62d548ee4f0f264de30c822ec89cc71d17bba40072cc9468229221

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                Filesize

                                                264KB

                                                MD5

                                                f50f89a0a91564d0b8a211f8921aa7de

                                                SHA1

                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                SHA256

                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                SHA512

                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                cb510d88572f6130f5671663b3ca9724

                                                SHA1

                                                06d160a26255b29c13a10da5fe2ce5cca8f02f1d

                                                SHA256

                                                217c002587215f3a65f107e4c0f0974d9f0a4926cb8854eea08145a903c41576

                                                SHA512

                                                b748477e48c645a24885f94fa6aa4d12742e4efaa592135c841e9f2ce4da4cbd5430b1fd3b7c78f116d46b6f9aae12a11df17ea939cce7aeeccce6fbd070833b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                1KB

                                                MD5

                                                f2a14f4e2e9181ab6e871a0c1aa423ce

                                                SHA1

                                                ba6e4fa19aa6fdabaa919f05edc89a77683b7cd6

                                                SHA256

                                                a392c63236b1bc9ebc3f032e0d776a208bfadaa6055464c1b5ed4f7679a17706

                                                SHA512

                                                0bb1fe91cded051378c037002592b5f305f19d9c8e5e76915cf39ce5306768285bf9dd4768143d781f9944d8b444b06a9b6d6e9fd0941532269413ef5205454b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                d28a889fd956d5cb3accfbaf1143eb6f

                                                SHA1

                                                157ba54b365341f8ff06707d996b3635da8446f7

                                                SHA256

                                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                SHA512

                                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                2a9c7dfcc40aad1f3866fa2a0950b400

                                                SHA1

                                                4854cd6ea5f75edbfb15412d0c9bfd5790b9446d

                                                SHA256

                                                434049d0e0f9cd87b92fec7f431147ba783e56cdfe2dcb03c98ae8e9954a4c9f

                                                SHA512

                                                34a0f078978f2fc62e688ea102d6a8887c3fd4025e47f2c398461253f234d0f668f8d3a9af21af35802d767b57c8e4a2d4d7e2c182d2da19ccc28be1a41652ab

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                5cfe303e798d1cc6c1dab341e7265c15

                                                SHA1

                                                cd2834e05191a24e28a100f3f8114d5a7708dc7c

                                                SHA256

                                                c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

                                                SHA512

                                                ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZD788ZAR\microsoft.windows[1].xml
                                                Filesize

                                                96B

                                                MD5

                                                fb128dd23be90403a359178e993c9d0f

                                                SHA1

                                                26fd6915e3556d4cd004f62d06fbca7926807544

                                                SHA256

                                                8da3b3625b4cd2b5eb982bb67a9478c68e411b45c46fb8548a62855069fc1c34

                                                SHA512

                                                7fe9d62e3ce2cc4818e8b16323bf94e1d31b2a492fe5afbc16ac4cb806fcf8449d63e5f5d40fae431fa91d28cf532ccbc74bc5af2fa18b6ee5ebf8c6399febdd

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133635682369830655.txt
                                                Filesize

                                                75KB

                                                MD5

                                                ec861d1b31e9e99a4a6548f1e0b504e1

                                                SHA1

                                                8bf1243597aba54793caf29c5e6c258507f15652

                                                SHA256

                                                9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

                                                SHA512

                                                30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\0x0g3t2j\0x0g3t2j.0.vb
                                                Filesize

                                                386B

                                                MD5

                                                156a4b3e570d9c7efc0f0094dbceb24e

                                                SHA1

                                                ccd7e470b9114884d6e958ab4d8b4c451f493c66

                                                SHA256

                                                7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

                                                SHA512

                                                90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\0x0g3t2j\0x0g3t2j.cmdline
                                                Filesize

                                                313B

                                                MD5

                                                71ad3a92c14a40b0dde34db9680ee286

                                                SHA1

                                                968a41e3d24e6542c4fd0640b8efb71d45936cea

                                                SHA256

                                                80b92d02610d27c1a913993716cac89341cba2a5ffaedf45d831199e6ff807d3

                                                SHA512

                                                0444486d3950b8704ea7061ff50f077047053ca748f88beb2c6e51dd454dad7d9e95aeba2f0d849d8f4a6a8cc6b7199639610c9e6043ce4e6245921d78a32364

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\0x0g3t2j\0x0g3t2j.exe
                                                Filesize

                                                6KB

                                                MD5

                                                094658e06ba560a5b4d501937160c615

                                                SHA1

                                                2d7264a5edcc758c91c0a467c375b34a12a604f6

                                                SHA256

                                                968b55e850a544315f296d0256245271fd38d5ed6d10271c03ef34e9821e5463

                                                SHA512

                                                486b2ddd2be218ec865228c76b329fac57e11ae337b75d69504ef740be2594ed76da0bfefd932ec4bc2fe92591bf929a182e67cdec1032e75bb88251907d3bda

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\RESF07C.tmp
                                                Filesize

                                                1KB

                                                MD5

                                                34333426e0165632f761b7fe4de32b4e

                                                SHA1

                                                5bccca732ce88f1735fcd244b1f60b0e7eb15f52

                                                SHA256

                                                214d80a3addb526482cb1452f91bcba330e9dbfda31f0e8f7169279d5f233183

                                                SHA512

                                                ccb82f605af6022ac071a96428c31617b08eb81f6ef03a1df7021ced8a5c259c2ef59ccac1f86954887685da92b4a22db46504055ffdad6ac1e322e99bdc2a7b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfeea32w.hbw.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\vbc4AAD7C5BCCD9460E8E7B3A895288D227.TMP
                                                Filesize

                                                1KB

                                                MD5

                                                d5246f1def61542414b553f7625f6d97

                                                SHA1

                                                c3c5ded65d866b0118bb63b1adf61664e00e26b2

                                                SHA256

                                                857666a2f210674f683aacb4d6f1a1931e56bf51581133d96a0e4903d677c889

                                                SHA512

                                                3d15990d3ea3cf892e5a14a4111e8147c84080c77ee241a8b710b11eb28b1b08214432954978671aa00b1adbcba7c30052249af39fe001a8ba1c856b27f113f6

                                                Download Submit

                                              • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                                Filesize

                                                639B

                                                MD5

                                                d2dbbc3383add4cbd9ba8e1e35872552

                                                SHA1

                                                020abbc821b2fe22c4b2a89d413d382e48770b6f

                                                SHA256

                                                5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                                                SHA512

                                                bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                                                Download Submit

                                              • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                Filesize

                                                2KB

                                                MD5

                                                6c9bc40be873abcf6e2b9072249030a7

                                                SHA1

                                                2e771dc0e4180dfa24b4a82eb4fd0d1d3e744868

                                                SHA256

                                                0b2fe79652ec3e04ecfda5ba616c678ad2411983fd24e24f589d2bdfda791ede

                                                SHA512

                                                0d30b627bc0c8552a006d710176de6726a169b5a4dfe655695e57be48fbe458324c04922d08969e8ccd53cd76cbc46b76e853f5d04a17ce46ac710af99984fe5

                                                Download Submit

                                              • C:\Users\Admin\Desktop\PingSkip.lnk
                                                Filesize

                                                456KB

                                                MD5

                                                cb6105b8b6d8f7f36b12f14bd40e8b27

                                                SHA1

                                                6700805f9ec0234b3150d0bd92191823dedde874

                                                SHA256

                                                16faa0e55a14a9453908c49e4639e2f9e3dd1aa1a2830ddd80d23320e49b8223

                                                SHA512

                                                ce3f3575e3ae5f8cb759420de1ad29e08c4bb6c17d8ff5b2fe8648f280faf1a809e2e000c682a9dc6b3668756a7a79bbae7a04285d756c63b53d3ded0119428d

                                                Download Submit

                                              • C:\Users\Admin\Desktop\desktop.ini
                                                Filesize

                                                282B

                                                MD5

                                                9e36cc3537ee9ee1e3b10fa4e761045b

                                                SHA1

                                                7726f55012e1e26cc762c9982e7c6c54ca7bb303

                                                SHA256

                                                4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

                                                SHA512

                                                5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

                                                Download Submit

                                              • C:\Users\Admin\Documents\desktop.ini
                                                Filesize

                                                402B

                                                MD5

                                                ecf88f261853fe08d58e2e903220da14

                                                SHA1

                                                f72807a9e081906654ae196605e681d5938a2e6c

                                                SHA256

                                                cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

                                                SHA512

                                                82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

                                                Download Submit

                                              • C:\Users\Admin\Downloads\desktop.ini
                                                Filesize

                                                282B

                                                MD5

                                                3a37312509712d4e12d27240137ff377

                                                SHA1

                                                30ced927e23b584725cf16351394175a6d2a9577

                                                SHA256

                                                b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

                                                SHA512

                                                dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

                                                Download Submit

                                              • C:\Users\Admin\Music\desktop.ini
                                                Filesize

                                                504B

                                                MD5

                                                06e8f7e6ddd666dbd323f7d9210f91ae

                                                SHA1

                                                883ae527ee83ed9346cd82c33dfc0eb97298dc14

                                                SHA256

                                                8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68

                                                SHA512

                                                f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

                                                Download Submit

                                              • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                                                Filesize

                                                16B

                                                MD5

                                                60b0b3fb0bf6d1307788e8c21367bead

                                                SHA1

                                                16a378296d1d17a399d6e7b2c470308493c1dcff

                                                SHA256

                                                4cd1a509102de46e0145321b036338d21463d84d8d4a56e4ab92debfe5e13cda

                                                SHA512

                                                3636a6f19ba0a65fdd4f9fb4526351248e77a59b7c6a4d5518497139b5a8ef97bfcd45eddaeca63aca13e0b957ffd016786bec45189b1da0a3ab186fa4e7ce1a

                                                Download Submit

                                              • C:\Users\Admin\OneDrive\desktop.ini
                                                Filesize

                                                96B

                                                MD5

                                                c193d420fc5bbd3739b40dbe111cd882

                                                SHA1

                                                a60f6985aa750931d9988c3229242f868dd1ca35

                                                SHA256

                                                e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc

                                                SHA512

                                                d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

                                                Download Submit

                                              • C:\Users\Admin\Pictures\desktop.ini
                                                Filesize

                                                504B

                                                MD5

                                                29eae335b77f438e05594d86a6ca22ff

                                                SHA1

                                                d62ccc830c249de6b6532381b4c16a5f17f95d89

                                                SHA256

                                                88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

                                                SHA512

                                                5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

                                                Download Submit

                                              • C:\Users\Admin\Videos\desktop.ini
                                                Filesize

                                                504B

                                                MD5

                                                50a956778107a4272aae83c86ece77cb

                                                SHA1

                                                10bce7ea45077c0baab055e0602eef787dba735e

                                                SHA256

                                                b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978

                                                SHA512

                                                d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

                                                Download Submit

                                              • C:\Windows\Tasks\SA.DAT
                                                Filesize

                                                6B

                                                MD5

                                                f1a6cd5adaab953a6764ea364e17bfb8

                                                SHA1

                                                c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

                                                SHA256

                                                12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

                                                SHA512

                                                da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

                                                Download Submit

                                              • F:\$RECYCLE.BIN\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini
                                                Filesize

                                                129B

                                                MD5

                                                a526b9e7c716b3489d8cc062fbce4005

                                                SHA1

                                                2df502a944ff721241be20a9e449d2acd07e0312

                                                SHA256

                                                e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                SHA512

                                                d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                Download Submit

                                              • memory/692-977-0x0000025FCDFB0000-0x0000025FCDFD0000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/692-963-0x0000025FCDBA0000-0x0000025FCDBC0000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/692-952-0x0000025FCDBE0000-0x0000025FCDC00000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/692-948-0x0000025FCCB00000-0x0000025FCCC00000-memory.dmp

                                                Filesize

                                                1024KB

                                                Download

                                              • memory/692-949-0x0000025FCCB00000-0x0000025FCCC00000-memory.dmp

                                                Filesize

                                                1024KB

                                                Download

                                              • memory/1296-19-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/1296-9-0x000001EAD1CC0000-0x000001EAD1CE2000-memory.dmp

                                                Filesize

                                                136KB

                                                Download

                                              • memory/1296-10-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/1296-15-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/1296-16-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/3684-3-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/3684-108-0x000000001B230000-0x000000001B238000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3684-885-0x000000001BA10000-0x000000001BA1A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-886-0x000000001BA20000-0x000000001BA2A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-901-0x000000001BA30000-0x000000001BA38000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3684-1302-0x000000001CDF0000-0x000000001CE02000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3684-60-0x000000001B220000-0x000000001B22E000-memory.dmp

                                                Filesize

                                                56KB

                                                Download

                                              • memory/3684-0-0x00007FFE61783000-0x00007FFE61785000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/3684-63-0x00007FFE61780000-0x00007FFE62241000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/3684-64-0x000000001D040000-0x000000001D15E000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/3684-2-0x00007FFE61783000-0x00007FFE61785000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/3684-1-0x00000000004D0000-0x00000000004E8000-memory.dmp

                                                Filesize

                                                96KB

                                                Download

                                              • memory/3684-943-0x000000001BF10000-0x000000001BF1A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-1298-0x000000001BF00000-0x000000001BF0A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-103-0x000000001D360000-0x000000001D6B0000-memory.dmp

                                                Filesize

                                                3.3MB

                                                Download

                                              • memory/3684-105-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-106-0x000000001E920000-0x000000001EE48000-memory.dmp

                                                Filesize

                                                5.2MB

                                                Download

                                              • memory/3684-1297-0x000000001CD90000-0x000000001CDC6000-memory.dmp

                                                Filesize

                                                216KB

                                                Download

                                              • memory/3684-109-0x000000001BE30000-0x000000001BE3A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-110-0x000000001BE50000-0x000000001BE5A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-145-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3684-903-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3684-1269-0x000000001C610000-0x000000001C61C000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3684-1268-0x000000001F250000-0x000000001F2DE000-memory.dmp

                                                Filesize

                                                568KB

                                                Download

                                              • memory/3684-1267-0x000000001EE50000-0x000000001EEDE000-memory.dmp

                                                Filesize

                                                568KB

                                                Download

                                              • memory/3684-1258-0x000000001CFB0000-0x000000001CFEA000-memory.dmp

                                                Filesize

                                                232KB

                                                Download

                                              • memory/3684-904-0x000000001BA50000-0x000000001BA5A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/4224-32-0x000001E89EAE0000-0x000001E89ECFC000-memory.dmp

                                                Filesize

                                                2.1MB

                                                Download

                                              • memory/4508-1154-0x000001A5A7280000-0x000001A5A72A0000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/4508-1132-0x000001A5A6E70000-0x000001A5A6E90000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/4508-1123-0x000001A5A6EB0000-0x000001A5A6ED0000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/4508-1118-0x000001A5A5D50000-0x000001A5A5E50000-memory.dmp

                                                Filesize

                                                1024KB

                                                Download

                                              • memory/4508-1119-0x000001A5A5D50000-0x000001A5A5E50000-memory.dmp

                                                Filesize

                                                1024KB

                                                Download

                                              • memory/4756-1116-0x0000000004220000-0x0000000004221000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/4868-945-0x0000000004110000-0x0000000004111000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/5040-55-0x000002482C620000-0x000002482C83C000-memory.dmp

                                                Filesize

                                                2.1MB

                                                Download