hxxps://top4top[.]s3[.]eu-central-2[.]wasabisys[.]com/anonymous/6oii4cLginWtYnQ_1722410943[.]rar?response-content-disposition=attachment%3B%20filename%3D%22TOOLS[.]rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=B77KQ8UE8YY8QFEKNSEN%2F20240801%2Feu-central-2%2Fs3%2Faws4_request&X-Amz-Date=20240801T205729Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=3b5a55191dd2b5501a7f62d06e0698f7e2277a27166870a66d00445b146c353a

Analysis

max time kernel
105s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://top4top.s3.eu-central-2.wasabisys.com/anonymous/6oii4cLginWtYnQ_1722410943.rar?response-content-disposition=attachment%3B%20filename%3D%22TOOLS.rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=B77KQ8UE8YY8QFEKNSEN%2F20240801%2Feu-central-2%2Fs3%2Faws4_request&X-Amz-Date=20240801T205729Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=3b5a55191dd2b5501a7f62d06e0698f7e2277a27166870a66d00445b146c353a

Score

9^/10

collection credential_access discovery execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
2364	powershell.exe
3912	powershell.exe
3588	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3460	cmd.exe
316	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOOLS.exe	TOOLS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOOLS.exe	TOOLS.exe

Executes dropped EXE 4 IoCs

pid	Process
1324	TOOLS.exe
3944	TOOLS.exe
1040	TOOLS.exe
4176	TOOLS.exe

Loads dropped DLL 64 IoCs

pid	Process
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe
4176	TOOLS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023508-254.dat	upx
behavioral1/memory/3944-258-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp	upx
behavioral1/files/0x00070000000234e2-260.dat	upx
behavioral1/files/0x0007000000023502-265.dat	upx
behavioral1/memory/3944-268-0x00007FFE22680000-0x00007FFE2268F000-memory.dmp	upx
behavioral1/memory/3944-267-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp	upx
behavioral1/files/0x00070000000234e0-269.dat	upx
behavioral1/memory/3944-272-0x00007FFE14100000-0x00007FFE14118000-memory.dmp	upx
behavioral1/files/0x00070000000234e5-271.dat	upx
behavioral1/memory/3944-274-0x00007FFE0E1A0000-0x00007FFE0E1CC000-memory.dmp	upx
behavioral1/files/0x00070000000234eb-290.dat	upx
behavioral1/files/0x00070000000234ea-289.dat	upx
behavioral1/files/0x00070000000234e9-288.dat	upx
behavioral1/files/0x00070000000234e8-287.dat	upx
behavioral1/files/0x00070000000234e7-286.dat	upx
behavioral1/files/0x00070000000234e6-285.dat	upx
behavioral1/files/0x00070000000234e4-284.dat	upx
behavioral1/files/0x00070000000234e3-283.dat	upx
behavioral1/files/0x00070000000234e1-282.dat	upx
behavioral1/files/0x0007000000023517-280.dat	upx
behavioral1/files/0x0007000000023516-279.dat	upx
behavioral1/files/0x000700000002350c-278.dat	upx
behavioral1/files/0x0007000000023506-277.dat	upx
behavioral1/files/0x0007000000023503-276.dat	upx
behavioral1/files/0x0007000000023501-275.dat	upx
behavioral1/files/0x000700000002350b-296.dat	upx
behavioral1/memory/3944-294-0x00007FFE13A50000-0x00007FFE13A69000-memory.dmp	upx
behavioral1/memory/3944-299-0x00007FFE0DF00000-0x00007FFE0DF2E000-memory.dmp	upx
behavioral1/files/0x000700000002350a-301.dat	upx
behavioral1/memory/3944-303-0x00007FFE0B4F0000-0x00007FFE0B5AC000-memory.dmp	upx
behavioral1/memory/3944-298-0x00007FFE20C90000-0x00007FFE20C9D000-memory.dmp	upx
behavioral1/memory/3944-293-0x00007FFE0E160000-0x00007FFE0E195000-memory.dmp	upx
behavioral1/files/0x000700000002351a-304.dat	upx
behavioral1/memory/3944-306-0x00007FFE0B4C0000-0x00007FFE0B4EB000-memory.dmp	upx
behavioral1/memory/3944-308-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp	upx
behavioral1/memory/3944-309-0x00007FFE1D590000-0x00007FFE1D59D000-memory.dmp	upx
behavioral1/memory/3944-312-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp	upx
behavioral1/memory/3944-311-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp	upx
behavioral1/memory/3944-314-0x00007FFE0B480000-0x00007FFE0B498000-memory.dmp	upx
behavioral1/memory/3944-313-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp	upx
behavioral1/memory/3944-317-0x00007FFE097F0000-0x00007FFE09B67000-memory.dmp	upx
behavioral1/memory/3944-316-0x00007FFE0B0E0000-0x00007FFE0B197000-memory.dmp	upx
behavioral1/memory/3944-315-0x00007FFE0B450000-0x00007FFE0B47E000-memory.dmp	upx
behavioral1/memory/3944-319-0x00007FFE0B430000-0x00007FFE0B445000-memory.dmp	upx
behavioral1/memory/3944-321-0x00007FFE1D570000-0x00007FFE1D57B000-memory.dmp	upx
behavioral1/memory/3944-320-0x00007FFE13A50000-0x00007FFE13A69000-memory.dmp	upx
behavioral1/memory/3944-322-0x00007FFE0B400000-0x00007FFE0B426000-memory.dmp	upx
behavioral1/memory/3944-324-0x00007FFE096D0000-0x00007FFE097E8000-memory.dmp	upx
behavioral1/memory/3944-323-0x00007FFE0DF00000-0x00007FFE0DF2E000-memory.dmp	upx
behavioral1/memory/3944-332-0x00007FFE1C6A0000-0x00007FFE1C6AC000-memory.dmp	upx
behavioral1/memory/3944-331-0x00007FFE1CB30000-0x00007FFE1CB3B000-memory.dmp	upx
behavioral1/memory/3944-330-0x00007FFE0B4C0000-0x00007FFE0B4EB000-memory.dmp	upx
behavioral1/memory/3944-329-0x00007FFE1CF10000-0x00007FFE1CF1C000-memory.dmp	upx
behavioral1/memory/3944-328-0x00007FFE1D050000-0x00007FFE1D05B000-memory.dmp	upx
behavioral1/memory/3944-338-0x00007FFE1C3D0000-0x00007FFE1C3DB000-memory.dmp	upx
behavioral1/memory/3944-339-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp	upx
behavioral1/memory/3944-340-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp	upx
behavioral1/memory/3944-347-0x00007FFE0B080000-0x00007FFE0B092000-memory.dmp	upx
behavioral1/memory/3944-346-0x00007FFE0B480000-0x00007FFE0B498000-memory.dmp	upx
behavioral1/memory/3944-345-0x00007FFE0B0A0000-0x00007FFE0B0AD000-memory.dmp	upx
behavioral1/memory/3944-344-0x00007FFE0B0B0000-0x00007FFE0B0BC000-memory.dmp	upx
behavioral1/memory/3944-343-0x00007FFE0B0C0000-0x00007FFE0B0CC000-memory.dmp	upx
behavioral1/memory/3944-342-0x00007FFE0B0D0000-0x00007FFE0B0DB000-memory.dmp	upx
behavioral1/memory/3944-341-0x00007FFE097F0000-0x00007FFE09B67000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	api.ipify.org
52	api.ipify.org
65	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00090000000234a2-153.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2272	cmd.exe
4700	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3284	cmd.exe
4544	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2176	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4700	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2176	msedge.exe
2176	msedge.exe
2076	msedge.exe
2076	msedge.exe
5056	identity_helper.exe
5056	identity_helper.exe
1436	msedge.exe
1436	msedge.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
3944	TOOLS.exe
316	powershell.exe
316	powershell.exe
2888	powershell.exe
2888	powershell.exe
3912	powershell.exe
3912	powershell.exe
3588	powershell.exe
3588	powershell.exe
2364	powershell.exe
2364	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1608	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4356	7zG.exe
Token: 35	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeSecurityPrivilege	4356	7zG.exe
Token: SeDebugPrivilege	3944	TOOLS.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
4356	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
4168	OpenWith.exe
4168	OpenWith.exe
4168	OpenWith.exe
4168	OpenWith.exe
4168	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1860	2076	msedge.exe	83
PID 2076 wrote to memory of 1860	2076	msedge.exe	83
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2996	2076	msedge.exe	84
PID 2076 wrote to memory of 2176	2076	msedge.exe	85
PID 2076 wrote to memory of 2176	2076	msedge.exe	85
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86
PID 2076 wrote to memory of 60	2076	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://top4top.s3.eu-central-2.wasabisys.com/anonymous/6oii4cLginWtYnQ_1722410943.rar?response-content-disposition=attachment%3B%20filename%3D%22TOOLS.rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=B77KQ8UE8YY8QFEKNSEN%2F20240801%2Feu-central-2%2Fs3%2Faws4_request&X-Amz-Date=20240801T205729Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=3b5a55191dd2b5501a7f62d06e0698f7e2277a27166870a66d00445b146c353a
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1d1d46f8,0x7ffe1d1d4708,0x7ffe1d1d4718
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4192 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5586176029111272605,17102264061536243265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
  2⤵
  PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4244

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TOOLS\" -ad -an -ai#7zMap9306:72:7zEvent9284
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Users\Admin\Downloads\TOOLS\TOOLS.exe
"C:\Users\Admin\Downloads\TOOLS\TOOLS.exe"
1⤵
- Executes dropped EXE
PID:1324
- C:\Users\Admin\Downloads\TOOLS\TOOLS.exe
  "C:\Users\Admin\Downloads\TOOLS\TOOLS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:4856
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3284
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:4112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:1172
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\Downloads\TOOLS\TOOLS.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2272
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4700

C:\Users\Admin\Downloads\TOOLS\TOOLS.exe
"C:\Users\Admin\Downloads\TOOLS\TOOLS.exe"
1⤵
- Executes dropped EXE
PID:1040
- C:\Users\Admin\Downloads\TOOLS\TOOLS.exe
  "C:\Users\Admin\Downloads\TOOLS\TOOLS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23b6e2531d39ba76e0604a4685249f2d

SHA1
5f396f68bd58b4141a3a0927d0a93d5ef2c8172f

SHA256
4a486d7be440ddf2909be2c2b41e55f0666b02670bbf077ac435e3cddc55a15e

SHA512
a1a7fef086526e65184f60b61d483848183ef7c98cf09f05ac9e5b11504696406120ab01da8ed7f35e3145aa5fc54307c9397770681e4d10feea64113e7a57cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6ffd468ded3255ce35ba13e5d87c985a

SHA1
09f11746553fd82f0a0ddef4994dc3605f39ccec

SHA256
33103b1e4da1933459575d2e0441b8693ba1ede4695a3d924e2d74e72becabd8

SHA512
5d5530c57faa4711f51e4baef0d1f556937a5db1e2a54ee376c3556c01db0ddf628856f346057d3849baa5db35603b96a0a9894f3c65a80c947085eb640348ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a86473f3fb5665ea6aecb92888f1155a

SHA1
93809c5a39dbbc6035fb321aa069cd76a43d72fb

SHA256
c371da6df1248992dd5d746c30a4bcaf0fb1663553472a75fa2956ce1c38f19f

SHA512
113d5a179021a2bc5c177245f1127338f4c6c9e637a2e731bf23065247e77fe17a386e0375ef235d4831b9cebec21acd0a07aa15be83fbbd7b08e2c9e5f85fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8181599fd97f1e057dc3309c22af2fa8

SHA1
5ec2cf07b596828943f904927355916fe00eb4c3

SHA256
4c774a95670f2f3e96024fc94b72c417c0ca2b976ff23dd8a236ae02cde65583

SHA512
9a81c51fd3d7b29f6781e7830c42ae0dbc8d938c5e3a5ac2760c484d6a8d6fc7e7bc245ad56092903efc4ef560758aa9b4548142442c23e79f6d68b1e953564b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9338960663ce0fc4ce1ac69c1169323

SHA1
61799644bb900d3c0d1e37d6a1328da98aadfb99

SHA256
bd61f5d660cbd7fdf9d74f4ce1484147f7d189fd263f1b7b5d05b7510914b4a7

SHA512
79dbd449f9736a7e2d1dd86c613c9e6fe868a6916b19b0d5f74449538b8cee7b9da3249671c45a6eac8406628d29091127a651327e6458f830d92dac43569daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cb9f10f4c1969926037511e7ab7d515

SHA1
407b70530807b39c99a7ea1cc68d43bfced1614f

SHA256
dbd5d6b8df9b19886c180dcb4c680ac516636f4fc9e4f6609e92c4d68ca848e4

SHA512
ce497edd88838f2e18abe3b7c69aa9f114a652257c4809257988daafaa189a88a83e07bfe93267c0a3d6d90de24be0a9df7b0dc78844135356561d73e454d040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76451366203d8da6cd4f6b00c86177cb

SHA1
3827abe6b15c1ecc9dbdb1eb43eaa905b5140567

SHA256
ed00f095d4a349a262323105c03c8fc5da2612cb6a7b53dafdf5a2618d54df66

SHA512
67c4090d844b1040afe2111a39b5068d0626f9c743865858b91aa41ed4c8b79912c7e225bb6ced0ce39da9063140e494f894db298a48266408a5dcb2b15cf5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ecc7cf141ed638ea6481bab01b48f378

SHA1
08d3137e56620ffbe1159595cec2a053afcd8764

SHA256
c468d801d4c8042a67547602fe0fd1cc83b1feaf12cd1ae1650823a409838d2c

SHA512
d26598eea98618309012854534eda9c2c3153a8c3dca3be4064a72c8d9c666e103471f4f36287aa725965c9ac31515d7a7c52ca27c2d7db3126934eca4e4ba50

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2t4wJAU2m\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2t4wJAU2m\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_bz2.pyd

Filesize
44KB

MD5
2fe457932ef5b6d31027341c36cc861f

SHA1
3feb5a3880555dab1b8f81a461a354bdaf9449f3

SHA256
ad1654d88dca0102ee2f6364323cc960dcac9d6f7957314ffd55221d63d8cc58

SHA512
39210ff4d9a3079ee90934dda7807e2ac6a3f0ac244090170a22ca78edd8d016815653f3570d5f30c7a920634fd4282f917ca1d229f7294c06a9ef1f5ea545cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
2c10963a86452d7598ea524b9432b0ba

SHA1
1061560d76835415d600879e43e04d3315b0af67

SHA256
3cd74813744062712d08fadc0d980c541d92d4ac6bbee91daf2b1599d9c3e5f7

SHA512
c179c256de828da85294a052e5db531ba43ab32f018f4c7d777f9dcda89432bed0042764d1259fd6796756fd05009b0aa0c33f6e6c8b7e898931262e0aadb32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_ctypes.pyd

Filesize
55KB

MD5
10919db111de50d39df5c829dac91715

SHA1
7e308bb3b4f1eb47fbd5143cb4e169cf2b437ab6

SHA256
963ace74612bcfb459a28517f34cd6734c0fdd3b9197a504a9ab21d257b06644

SHA512
130468e5026d32cd9a9fb9cb1df5a1f36a54cfde07cb799d68abb0152e075fdd48f05a6580852f0cfec8e490814cfa588fa02552bcdb858e1b722d9105bf37b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_decimal.pyd

Filesize
102KB

MD5
8d7486b569d058b132e472de72d907cf

SHA1
851e1254bd51315ec2a6b0645ae31fb35a293014

SHA256
6e413ed4d5eb81c321388f6ef529db6063d6d564f8649e7256ce3c87afbacd32

SHA512
5a264f8a86af7f9a41906359cc417bd39e6d6ad5b6bf2ae7e389d6eeb0e718da242565ad0a8e40f5afc26e9797e9694251044fc2662242303feb50b21360e4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_hashlib.pyd

Filesize
32KB

MD5
1556f897857e3f0bf0007cd351d8938d

SHA1
c47427f97c6107337693e480c207faa3947d1e0b

SHA256
469596bd849e4f357ea7358809541897b8ba7db23e14270c427d14820b61bbc8

SHA512
78b44c863f476c7cde863dd95336add9ee8e59baa73a40ef290f5e830151a51f7ddcd161a26e941dd073a64d1f6ec1c8a42f48a89e4fb1e533f0a1f0480ae76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_lzma.pyd

Filesize
82KB

MD5
9c1c78dcccce27935662a21897108798

SHA1
8efb7b56645dede4365527fcdfb72ab4615763a3

SHA256
96f0d15cbc8572636acc8a9e89220937f07265de7f6a2c000b9f1b9de76ea8ea

SHA512
4d0297adf3c1e0ab02ef5efbb38680cb0685b08c7944461c2d924975f01643202eff2676c37f6566181e615a8805f5ede0d8227350f9e3a2e3f9f6e8e782a156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_multiprocessing.pyd

Filesize
23KB

MD5
dfd574bbb69d8322851dc2b87b5d03a5

SHA1
5ba1d0798a7b9e50555c3d598f960a97f6bf568f

SHA256
b99d65b4444ab19226191ea6a6a431034195ab95ae22488a2debfee070f3ce33

SHA512
00b13ff6b6a53406c69d7a85855a9ddca6820eb440e90d3b61261d3d82fc333cf0736f0ede2adbbb2d80867eaa677ad6e5391e72be48873a9450c254e18dedb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_queue.pyd

Filesize
22KB

MD5
12a247e7df51ba1ca2bb8d1a51e155bb

SHA1
c310e1eca2c8bdab025757099bb4a4bd5a9b1b8f

SHA256
b03e4d5e244850b94842c18e8e3066dc2233e7056ea190f44f42435d52087325

SHA512
53b81950e15e245d0d7bc13ca3464b3ab178b3ed53dbede13e643184538ebe69dbbdc95df8f0d74d24f9c489975f42594e0d6657b81a567318d4a6d3faab929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_socket.pyd

Filesize
39KB

MD5
34a855ce59f2073f8ca43a98a2539b63

SHA1
46c932f25ec4a5a7a64df0f3162a9ccafb0a63cd

SHA256
a53e3e0434f72ef7a645882705267cfbce2eaaaf83b84464bc84b40eec517c08

SHA512
9add1c8eb3ba167e7720be2e5fe147c3b55205eb133948eafa7a419a442f38e85879892c4c20e35273843c64500849a28abe3df3305e17079743b2e16cd797ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_sqlite3.pyd

Filesize
47KB

MD5
f2c0219488cf6910c14ae68a65a4d364

SHA1
83032921dfed68f0ce9272efb40aed3247c8c44a

SHA256
d0679b355162dca4898131a4ad617ddae6a14c9d6262856d68f1ab1d639250d0

SHA512
2e3a88c62d53d5bb8c2db7f97e0dcbb21f991bcc4c5b748447a0f30c929114f867ce377dd195d6b57da36e0e23c10a9ee66ffde42552766b85dead0f08dea086

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_ssl.pyd

Filesize
59KB

MD5
d6188f49230356c75c47538111399761

SHA1
dedb75c4371baf697fd91728dece0fbb9cc95aec

SHA256
b121c5129642afacff657c1c98231d5b1ed2307144ce4b23badbbd96ea7ca007

SHA512
99915882c43c3fae77acf5eedda2a17033eeffcd877444f8a491fa1b852424283d7f73b6cf4bcd3316b8f9a804dcf91d017e9bcba36995a7dee5eda85f64b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_uuid.pyd

Filesize
20KB

MD5
d5f07590132a951cd06df53c9e3c2770

SHA1
b763ea9dea02e5360f98f083ba4dfc40a6736b8b

SHA256
52134692a89f5bd2be4604eb2f46b7a47a3cae52092b2d74eec677e4852b9c54

SHA512
cabc53768698e70e5456593bd69b78f47de3009259ed359d7e7720102d10c16ea0936bd21c509bc21e8a40a9077a506a355491756c882d7463449528d2d68364

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\base_library.zip

Filesize
859KB

MD5
7189563ca7d7bc1d2973a0a9452eb127

SHA1
5652d5e4fa3b3bf55c6b1c79efab9c4f078f5415

SHA256
6f50b4dc2129ff8e22807dcce0bd93f74f803d7893abf8fd55a7ae7dfc5de06c

SHA512
6baa17b84707472ad4ab9548438c062099fe9160aec9b6a449af79618143f0342640ff135cd28ceb3b036e90cfa173bcfa2952ac9481a411880539b73a885946

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
97aae56a9a70cd181bb83e47a0818c79

SHA1
8fb01cbe59e857322891e8cfdc264651fda58745

SHA256
ceaad3bc4a31298320568f6507297e37557f0fc39ab8d0bbb2becfd1f26c70c6

SHA512
ef84fde8f2c5926598f646a266e650520b5400f3b056c3f0dfcd9dbc4d4a8d60e97bb50f211e962b890bb0300bbdbc7ee0d46a18ff28c49b0163b6ac648064ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\libffi-7.dll

Filesize
23KB

MD5
3e91e70021fcbe76c38d87a62f9f424f

SHA1
067d8076aba98177bc1aaaf0102ac5ed411f8312

SHA256
e2880494d9509fb0314fc77ab4c9a68a39cdb8a0a24838d04d4ac252fa12f270

SHA512
7908116d924c1b5a424a5d998caa5f21587a622b3a1811293406b331934cc57077fe078e3e62ea471db37c59e108bba4e285e1caaa54a4e4ceb71c04382c649a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\libssl-1_1.dll

Filesize
200KB

MD5
668a30bd23391009cc57b85e6f874484

SHA1
9d035b8495549f4d7862f5e25239da3f5d86a2dd

SHA256
1782bbf740b8ac3c5b4044a7031167e9571f556a6af77a0e06dffda0d70b863d

SHA512
1165f7fb424ba70562d327fe8c05ff6466c287ae99708e73da32257620dd1799a22c01bcfeae8b50881cdc00e98ddf5288d2726c6680ff8e0c203df5f126f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\pyexpat.pyd

Filesize
84KB

MD5
8985fa7cb8b8bea7476b650b35aa643f

SHA1
81e4d0df08e183751e9fb65e4bbece7063eac105

SHA256
e8cfe479e478747d031d30c2df70f531aaab231cc928d6cff27783d0d049ed1a

SHA512
ae0933f37231c352c0241f2bc58b489e3994c8a35081c0571863cb99fb450325c421dfbceca877dce12444e7e9286b8b1685146d80109de5f6f1a36c16f46c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\python3.DLL

Filesize
61KB

MD5
704d647d6921dbd71d27692c5a92a5fa

SHA1
6f0552ce789dc512f183b565d9f6bf6bf86c229d

SHA256
a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769

SHA512
6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\python310.dll

Filesize
1.4MB

MD5
c636d4d09f0c3ec969c9114ac7f3b5c8

SHA1
57f6716562d75dfff70945b503ab9615cf54262b

SHA256
1073c9c6d2c7a3a0feaf5fb3f405d9ec70101247eeee7f31a1e84a44aaf128f6

SHA512
75d54e5dd850e32794c261192f34a69c67c883aed358c8df92290a88dd426450b8f101ce41676dd6100d7856e969a66e76fd1dd3a7078fd5ffebb2a69e505bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
94f9a7b80ddcbc0623be6e796ce119bd

SHA1
49a29ee4054dd8c2547c065b651102705024593d

SHA256
43f57b57e3e8666f52a7f6525cf107ca8b685c582a111e6891e23fd4742a502b

SHA512
c2be1ac0bcfabfb331e67b9652bc02ab40a22c8c6bad053d646773a1ecdc4cbe57b4f024602ec48e1214110fa56191a6cf732de1c0871226c9462a25b15d7aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
4834c005c00a4ea31e940da3e2c75354

SHA1
cac4d010d0ee8b9d87106b4a5f1f1b63ce91bdfc

SHA256
2dc712b833e26819296ae2918cf297a1efabb37e5802a6738aa3a12906861e02

SHA512
368b98894049b8fa77bd7ce2a3fecb949f53bd39f0927828e97e2f77ec9ada056a1ee426d456c126537d4205aabf55867a0710ea3bf6539baca5c73f86242a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\select.pyd

Filesize
22KB

MD5
b4f1632444f04e066eeab4378d52ecea

SHA1
b14fcc9ec52ba5b512a798a43bede271fa7a83a8

SHA256
6471685de4a8b4cb99e5e22bdfa7d53d5fd2c5bf26ea4d9ec948edb4da05fbf3

SHA512
d148e7a36608525823f1992742e33165496cf6c7d6b84e553ea0319f52dbcc6bc7712bca944c0778bc28f699f932208816173adf02b2918e54821160a52bad1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\sqlite3.dll

Filesize
612KB

MD5
b350764b70bb6545685ea622ca563443

SHA1
38862bd90f0e872b0da7591e7a2fe55e0bf74063

SHA256
e4a5514b4ad19d6250732833889d8a25567885b0a594a5ecb7448c12e003a4e3

SHA512
ec87e32e8cf07157aab6ff3c672de7912d70795c35428707f7f3acef78a79fb122d3383e2c475072d174101ae0b2568e7d53b0d9df11de840662ad1dd7f79dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\unicodedata.pyd

Filesize
286KB

MD5
2224618453656d966a55ad6b6d28c9c6

SHA1
ffebf20a63c0ca7962026e6dd80219d2902c648b

SHA256
e20abfc3c575867115314c9bf88c8c5d0f1892ea5be10db2f48dbf4b0553327c

SHA512
0143cd69b61b9b57e2628f6c21d202c86ddb873b7296936944679129a8c099b74f68abdb0395748010152b7c2dac01d98a7a656c531836fe27f207830d412ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\win32\win32api.pyd

Filesize
48KB

MD5
4de3f5e30d9c378ad545eb01450da7f5

SHA1
effbbb776bd64b9aef4134b7475675c77a646e8d

SHA256
bc28f70df94e15fbc3bcc23097ca68609786c2b0ed063aa3da6b0c071e0ca03c

SHA512
3a2a8044235eb4e40c14fc13ce68d68885971c707c2b7966f64c0e1cce51c5535eb3e56d8ac2770cd5e2e1a6e3133cb4b2456831a2610af1c235deffbc9bef50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oypsgk2.rbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\TOOLS\TOOLS.exe

Filesize
15.7MB

MD5
09977e752efb440d5254d763821229ee

SHA1
6893f9b9ad20cb7604a1f2edceb411123dc47fc6

SHA256
4da7c57da36f317504fc1fa73b252d4d4ec8b67cafcf9fde0ef997d2c2e65664

SHA512
291bf5bd25ae952b16a313c8614e5d9d8e4695b522ce8458f84b3b9673931d40d5650b986d54d6c2e6470b21890667186917bd84336519398ada207887548e4e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 969440.crdownload

Filesize
15.6MB

MD5
6c3c216b24b1fd3caf7d6aec18c5704a

SHA1
7012b86c953325a1f1c3f69b13a8f3dbcf95d829

SHA256
2bde5ef21d7bdbcf7ef622f4eac91bec776875dd5b0bd5d52b41d2db4cf04400

SHA512
34c0e83599f0be0964e1b7ded6cbff66354da7fa79b180a11a7c303edd49270cf625284ff84a9cf499614966a5bb12fa1d572f12c974d8cae8e643743898bd05

Download Submit
memory/316-379-0x000001F1CFF70000-0x000001F1CFF92000-memory.dmp

Filesize
136KB

Download
memory/3944-343-0x00007FFE0B0C0000-0x00007FFE0B0CC000-memory.dmp

Filesize
48KB

Download
memory/3944-432-0x00007FFE0B3C0000-0x00007FFE0B3F8000-memory.dmp

Filesize
224KB

Download
memory/3944-303-0x00007FFE0B4F0000-0x00007FFE0B5AC000-memory.dmp

Filesize
752KB

Download
memory/3944-298-0x00007FFE20C90000-0x00007FFE20C9D000-memory.dmp

Filesize
52KB

Download
memory/3944-293-0x00007FFE0E160000-0x00007FFE0E195000-memory.dmp

Filesize
212KB

Download
memory/3944-294-0x00007FFE13A50000-0x00007FFE13A69000-memory.dmp

Filesize
100KB

Download
memory/3944-306-0x00007FFE0B4C0000-0x00007FFE0B4EB000-memory.dmp

Filesize
172KB

Download
memory/3944-308-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp

Filesize
4.4MB

Download
memory/3944-309-0x00007FFE1D590000-0x00007FFE1D59D000-memory.dmp

Filesize
52KB

Download
memory/3944-312-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp

Filesize
1.4MB

Download
memory/3944-311-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp

Filesize
120KB

Download
memory/3944-314-0x00007FFE0B480000-0x00007FFE0B498000-memory.dmp

Filesize
96KB

Download
memory/3944-313-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp

Filesize
144KB

Download
memory/3944-317-0x00007FFE097F0000-0x00007FFE09B67000-memory.dmp

Filesize
3.5MB

Download
memory/3944-318-0x0000025DDA340000-0x0000025DDA6B7000-memory.dmp

Filesize
3.5MB

Download
memory/3944-316-0x00007FFE0B0E0000-0x00007FFE0B197000-memory.dmp

Filesize
732KB

Download
memory/3944-315-0x00007FFE0B450000-0x00007FFE0B47E000-memory.dmp

Filesize
184KB

Download
memory/3944-319-0x00007FFE0B430000-0x00007FFE0B445000-memory.dmp

Filesize
84KB

Download
memory/3944-321-0x00007FFE1D570000-0x00007FFE1D57B000-memory.dmp

Filesize
44KB

Download
memory/3944-320-0x00007FFE13A50000-0x00007FFE13A69000-memory.dmp

Filesize
100KB

Download
memory/3944-322-0x00007FFE0B400000-0x00007FFE0B426000-memory.dmp

Filesize
152KB

Download
memory/3944-324-0x00007FFE096D0000-0x00007FFE097E8000-memory.dmp

Filesize
1.1MB

Download
memory/3944-323-0x00007FFE0DF00000-0x00007FFE0DF2E000-memory.dmp

Filesize
184KB

Download
memory/3944-332-0x00007FFE1C6A0000-0x00007FFE1C6AC000-memory.dmp

Filesize
48KB

Download
memory/3944-331-0x00007FFE1CB30000-0x00007FFE1CB3B000-memory.dmp

Filesize
44KB

Download
memory/3944-330-0x00007FFE0B4C0000-0x00007FFE0B4EB000-memory.dmp

Filesize
172KB

Download
memory/3944-329-0x00007FFE1CF10000-0x00007FFE1CF1C000-memory.dmp

Filesize
48KB

Download
memory/3944-328-0x00007FFE1D050000-0x00007FFE1D05B000-memory.dmp

Filesize
44KB

Download
memory/3944-338-0x00007FFE1C3D0000-0x00007FFE1C3DB000-memory.dmp

Filesize
44KB

Download
memory/3944-339-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp

Filesize
120KB

Download
memory/3944-340-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp

Filesize
1.4MB

Download
memory/3944-347-0x00007FFE0B080000-0x00007FFE0B092000-memory.dmp

Filesize
72KB

Download
memory/3944-346-0x00007FFE0B480000-0x00007FFE0B498000-memory.dmp

Filesize
96KB

Download
memory/3944-345-0x00007FFE0B0A0000-0x00007FFE0B0AD000-memory.dmp

Filesize
52KB

Download
memory/3944-344-0x00007FFE0B0B0000-0x00007FFE0B0BC000-memory.dmp

Filesize
48KB

Download
memory/3944-274-0x00007FFE0E1A0000-0x00007FFE0E1CC000-memory.dmp

Filesize
176KB

Download
memory/3944-342-0x00007FFE0B0D0000-0x00007FFE0B0DB000-memory.dmp

Filesize
44KB

Download
memory/3944-341-0x00007FFE097F0000-0x00007FFE09B67000-memory.dmp

Filesize
3.5MB

Download
memory/3944-337-0x00007FFE0E150000-0x00007FFE0E15B000-memory.dmp

Filesize
44KB

Download
memory/3944-336-0x00007FFE16180000-0x00007FFE1618C000-memory.dmp

Filesize
48KB

Download
memory/3944-335-0x00007FFE19980000-0x00007FFE1998E000-memory.dmp

Filesize
56KB

Download
memory/3944-334-0x00007FFE1AA00000-0x00007FFE1AA0C000-memory.dmp

Filesize
48KB

Download
memory/3944-333-0x00007FFE1C0B0000-0x00007FFE1C0BC000-memory.dmp

Filesize
48KB

Download
memory/3944-327-0x00007FFE1D400000-0x00007FFE1D40B000-memory.dmp

Filesize
44KB

Download
memory/3944-326-0x00007FFE0B3C0000-0x00007FFE0B3F8000-memory.dmp

Filesize
224KB

Download
memory/3944-325-0x00007FFE0B4F0000-0x00007FFE0B5AC000-memory.dmp

Filesize
752KB

Download
memory/3944-352-0x00007FFE09480000-0x00007FFE096C8000-memory.dmp

Filesize
2.3MB

Download
memory/3944-351-0x00007FFE1DEB0000-0x00007FFE1DEBC000-memory.dmp

Filesize
48KB

Download
memory/3944-350-0x0000025DDA340000-0x0000025DDA6B7000-memory.dmp

Filesize
3.5MB

Download
memory/3944-349-0x00007FFE0B0E0000-0x00007FFE0B197000-memory.dmp

Filesize
732KB

Download
memory/3944-348-0x00007FFE0B450000-0x00007FFE0B47E000-memory.dmp

Filesize
184KB

Download
memory/3944-353-0x00007FFE0B070000-0x00007FFE0B07A000-memory.dmp

Filesize
40KB

Download
memory/3944-355-0x00007FFE0B040000-0x00007FFE0B069000-memory.dmp

Filesize
164KB

Download
memory/3944-272-0x00007FFE14100000-0x00007FFE14118000-memory.dmp

Filesize
96KB

Download
memory/3944-267-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp

Filesize
144KB

Download
memory/3944-420-0x00007FFE0B400000-0x00007FFE0B426000-memory.dmp

Filesize
152KB

Download
memory/3944-431-0x00007FFE096D0000-0x00007FFE097E8000-memory.dmp

Filesize
1.1MB

Download
memory/3944-299-0x00007FFE0DF00000-0x00007FFE0DF2E000-memory.dmp

Filesize
184KB

Download
memory/3944-268-0x00007FFE22680000-0x00007FFE2268F000-memory.dmp

Filesize
60KB

Download
memory/3944-258-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp

Filesize
4.4MB

Download
memory/3944-459-0x00007FFE0B450000-0x00007FFE0B47E000-memory.dmp

Filesize
184KB

Download
memory/3944-445-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp

Filesize
144KB

Download
memory/3944-457-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp

Filesize
1.4MB

Download
memory/3944-456-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp

Filesize
120KB

Download
memory/3944-455-0x00007FFE1D590000-0x00007FFE1D59D000-memory.dmp

Filesize
52KB

Download
memory/3944-444-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp

Filesize
4.4MB

Download
memory/3944-471-0x00007FFE22670000-0x00007FFE2267F000-memory.dmp

Filesize
60KB

Download
memory/3944-589-0x00007FFE0B4F0000-0x00007FFE0B5AC000-memory.dmp

Filesize
752KB

Download
memory/3944-597-0x00007FFE097F0000-0x00007FFE09B67000-memory.dmp

Filesize
3.5MB

Download
memory/3944-598-0x00007FFE0B430000-0x00007FFE0B445000-memory.dmp

Filesize
84KB

Download
memory/3944-573-0x00007FFE0B080000-0x00007FFE0B092000-memory.dmp

Filesize
72KB

Download
memory/3944-599-0x00007FFE1D570000-0x00007FFE1D57B000-memory.dmp

Filesize
44KB

Download
memory/3944-600-0x00007FFE0B400000-0x00007FFE0B426000-memory.dmp

Filesize
152KB

Download
memory/3944-576-0x00007FFE09480000-0x00007FFE096C8000-memory.dmp

Filesize
2.3MB

Download
memory/3944-596-0x00007FFE0B0E0000-0x00007FFE0B197000-memory.dmp

Filesize
732KB

Download
memory/3944-617-0x00007FFE1D590000-0x00007FFE1D59D000-memory.dmp

Filesize
52KB

Download
memory/3944-626-0x00007FFE0B040000-0x00007FFE0B069000-memory.dmp

Filesize
164KB

Download
memory/3944-632-0x00007FFE1AA00000-0x00007FFE1AA0C000-memory.dmp

Filesize
48KB

Download
memory/3944-631-0x00007FFE1C0B0000-0x00007FFE1C0BC000-memory.dmp

Filesize
48KB

Download
memory/3944-630-0x00007FFE1C3D0000-0x00007FFE1C3DB000-memory.dmp

Filesize
44KB

Download
memory/3944-629-0x00007FFE1C6A0000-0x00007FFE1C6AC000-memory.dmp

Filesize
48KB

Download
memory/3944-628-0x0000025DDA340000-0x0000025DDA6B7000-memory.dmp

Filesize
3.5MB

Download
memory/3944-627-0x00007FFE1CB30000-0x00007FFE1CB3B000-memory.dmp

Filesize
44KB

Download
memory/3944-621-0x00007FFE0B450000-0x00007FFE0B47E000-memory.dmp

Filesize
184KB

Download
memory/3944-620-0x00007FFE0B480000-0x00007FFE0B498000-memory.dmp

Filesize
96KB

Download
memory/3944-619-0x00007FFE0B1A0000-0x00007FFE0B311000-memory.dmp

Filesize
1.4MB

Download
memory/3944-618-0x00007FFE0B4A0000-0x00007FFE0B4BE000-memory.dmp

Filesize
120KB

Download
memory/3944-616-0x00007FFE0B4C0000-0x00007FFE0B4EB000-memory.dmp

Filesize
172KB

Download
memory/3944-615-0x00007FFE1CF10000-0x00007FFE1CF1C000-memory.dmp

Filesize
48KB

Download
memory/3944-614-0x00007FFE09B70000-0x00007FFE09FD5000-memory.dmp

Filesize
4.4MB

Download
memory/3944-613-0x00007FFE20C90000-0x00007FFE20C9D000-memory.dmp

Filesize
52KB

Download
memory/3944-612-0x00007FFE13A50000-0x00007FFE13A69000-memory.dmp

Filesize
100KB

Download
memory/3944-611-0x00007FFE0E160000-0x00007FFE0E195000-memory.dmp

Filesize
212KB

Download
memory/3944-610-0x00007FFE0E1A0000-0x00007FFE0E1CC000-memory.dmp

Filesize
176KB

Download
memory/3944-609-0x00007FFE14100000-0x00007FFE14118000-memory.dmp

Filesize
96KB

Download
memory/3944-608-0x00007FFE22680000-0x00007FFE2268F000-memory.dmp

Filesize
60KB

Download
memory/3944-607-0x00007FFE1AA10000-0x00007FFE1AA34000-memory.dmp

Filesize
144KB

Download
memory/3944-606-0x00007FFE0DF00000-0x00007FFE0DF2E000-memory.dmp

Filesize
184KB

Download
memory/3944-605-0x00007FFE22670000-0x00007FFE2267F000-memory.dmp

Filesize
60KB

Download
memory/3944-604-0x00007FFE1D050000-0x00007FFE1D05B000-memory.dmp

Filesize
44KB

Download
memory/3944-603-0x00007FFE1D400000-0x00007FFE1D40B000-memory.dmp

Filesize
44KB

Download
memory/3944-602-0x00007FFE0B3C0000-0x00007FFE0B3F8000-memory.dmp

Filesize
224KB

Download
memory/3944-601-0x00007FFE096D0000-0x00007FFE097E8000-memory.dmp

Filesize
1.1MB

Download
memory/4176-577-0x00007FFE20F20000-0x00007FFE20F38000-memory.dmp

Filesize
96KB

Download
memory/4176-578-0x00007FFE20EF0000-0x00007FFE20F1C000-memory.dmp

Filesize
176KB

Download
memory/4176-574-0x00007FFE20F40000-0x00007FFE20F64000-memory.dmp

Filesize
144KB

Download
memory/4176-575-0x00007FFE22660000-0x00007FFE2266F000-memory.dmp

Filesize
60KB

Download
memory/4176-572-0x00007FFE0DA90000-0x00007FFE0DEF5000-memory.dmp

Filesize
4.4MB

Download
memory/4176-625-0x00007FFE20EA0000-0x00007FFE20EB9000-memory.dmp

Filesize
100KB

Download
memory/4176-624-0x00007FFE1D510000-0x00007FFE1D545000-memory.dmp

Filesize
212KB

Download
memory/4176-623-0x00007FFE1D4E0000-0x00007FFE1D50E000-memory.dmp

Filesize
184KB

Download
memory/4176-622-0x00007FFE1DEA0000-0x00007FFE1DEAD000-memory.dmp

Filesize
52KB

Download
memory/4176-740-0x00007FFE0DA90000-0x00007FFE0DEF5000-memory.dmp

Filesize
4.4MB

Download