bitrat | a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07

Analysis

max time kernel
148s
max time network
79s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
Size

9.7MB
MD5

e0866df50713533e04728b04a5286de9
SHA1

8ea1239123bf01d9c610662b7f511e6dc967dd7f
SHA256

a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07
SHA512

5f0f4b77e6da798cccf7beec865e1b2c964448d45c048d66193c95de93381a561b50f673de8cd8ecc6bc33d672cf9ee57a180fd2edfe26ecaef447babf27c9f9
SSDEEP

196608:SX8+4u9dvKX5onopXD/WVrTm5x6nW40Z5io98N2HBMADiYfNogmNmAiHNv:SX595KX5zpXLKrTLPE0U8o+AD3MmAiHN

Score

10^/10

bitrat discovery evasion trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

logonapplication.ddns.net:4016

Attributes

communication_password
c4ca4238a0b923820dcc509a6f75849b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

Defender.exeDefender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

Drops startup file 3 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

Bypass.exeDefender.exeDefender.exe

pid process

1996 Bypass.exe
912 Defender.exe
1744 Defender.exe
Loads dropped DLL 1 IoCs

Processes:

Bypass.exe

pid process

1996 Bypass.exe

pid	process
1996	Bypass.exe
912	Defender.exe
1744	Defender.exe

pid	process
1996	Bypass.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Defender.exeDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

Defender.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Defender.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Defender.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

MSBuild.exe

pid process

1488 MSBuild.exe
1488 MSBuild.exe
1488 MSBuild.exe
1488 MSBuild.exe

pid	process
1488	MSBuild.exe
1488	MSBuild.exe
1488	MSBuild.exe
1488	MSBuild.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exeMSBuild.exe

description	pid	process	target process
PID 868 set thread context of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 1352 set thread context of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 set thread context of 1488	1352	MSBuild.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSBuild.exeMSBuild.exeBypass.exeDefender.exeDefender.exee0866df50713533e04728b04a5286de9_JaffaCakes118.exeschtasks.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1108 schtasks.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Bypass.exe

pid process

1996 Bypass.exe

pid	process
1108	schtasks.exe

pid	process
1996	Bypass.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exeDefender.exe

pid	process
868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe
912	Defender.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exeDefender.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
Token: SeDebugPrivilege	912	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	912	Defender.exe
Token: SeIncreaseQuotaPrivilege	912	Defender.exe
Token: 0	912	Defender.exe
Token: SeDebugPrivilege	1488	MSBuild.exe
Token: SeShutdownPrivilege	1488	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSBuild.exe

pid process

1488 MSBuild.exe
1488 MSBuild.exe

pid	process
1488	MSBuild.exe
1488	MSBuild.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

e0866df50713533e04728b04a5286de9_JaffaCakes118.exeMSBuild.exeMSBuild.execmd.exeBypass.exe

description	pid	process	target process
PID 868 wrote to memory of 1108	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	schtasks.exe
PID 868 wrote to memory of 1108	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	schtasks.exe
PID 868 wrote to memory of 1108	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	schtasks.exe
PID 868 wrote to memory of 1108	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	schtasks.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 868 wrote to memory of 1352	868	e0866df50713533e04728b04a5286de9_JaffaCakes118.exe	MSBuild.exe
PID 1352 wrote to memory of 1264	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1264	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1264	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1264	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1956	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1352 wrote to memory of 1488	1352	MSBuild.exe	MSBuild.exe
PID 1956 wrote to memory of 2948	1956	MSBuild.exe	cmd.exe
PID 1956 wrote to memory of 2948	1956	MSBuild.exe	cmd.exe
PID 1956 wrote to memory of 2948	1956	MSBuild.exe	cmd.exe
PID 1956 wrote to memory of 2948	1956	MSBuild.exe	cmd.exe
PID 2948 wrote to memory of 1996	2948	cmd.exe	Bypass.exe
PID 2948 wrote to memory of 1996	2948	cmd.exe	Bypass.exe
PID 2948 wrote to memory of 1996	2948	cmd.exe	Bypass.exe
PID 2948 wrote to memory of 1996	2948	cmd.exe	Bypass.exe
PID 1996 wrote to memory of 912	1996	Bypass.exe	Defender.exe
PID 1996 wrote to memory of 912	1996	Bypass.exe	Defender.exe
PID 1996 wrote to memory of 912	1996	Bypass.exe	Defender.exe
PID 1996 wrote to memory of 912	1996	Bypass.exe	Defender.exe

C:\Users\Admin\AppData\Local\Temp\e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0866df50713533e04728b04a5286de9_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uskPBklHAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp290.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\510.tmp\511.tmp\512.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\510.tmp\Bypass.exe
        
        Bypass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
        6⤵
        Modifies security service
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
        7⤵
        Modifies security service
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1488

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\510.tmp\511.tmp\512.bat

Filesize
525B

MD5
d4a739ca802d5dff563766977640f58e

SHA1
0a0c28f80cdedb2ecac1d76d15e38b60a63b2be5

SHA256
17e4ba6c84d45d5228b96a9a28292e658212c41b8764df0b6510cad24926d6f5

SHA512
15de091c5da6fd765e77f23169ce0cbf5b6d045d784cea28f688afe21a96a686fb9995acb2ea8394753a1024c27e4d31d8753ba86d18f880b8009ee001b24004

Download Submit
C:\Users\Admin\AppData\Local\Temp\510.tmp\Bypass.exe

Filesize
810KB

MD5
8ec8ca109abce872ef8e54a7c6af215f

SHA1
3b4b130d9fdeef5a41a740ea52bf121f24aab713

SHA256
5f556b89361ab895a2fc24da90323a2ca43ad1dd46a644b128caeb2879eb411d

SHA512
04b3e1457ca6c4ab85d1622a4650e24516af597cb009d9f3681008d72c15e6a9ef626ce4d1e9d52aa6df176836079c6fe6f3d62716afe23c6409871beccc18a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\510.tmp\Process.exe

Filesize
90KB

MD5
6a29526673cdfdc28f9ea288165a03ca

SHA1
596e37d7be4d7e961333df360f6589ee8c881027

SHA256
2ed4ff8edef9e91278a876937ec2cd516ef6313ea5ce8cadb8d8a667933fc829

SHA512
c3bc6761ab503c3fbe9cb9cb344a2a81f750585f738febc9528278ee08e8654dde29f46aa0fb2537c107a28ac6de00e1f34410a9458c07413dc01b2fa88bb695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp290.tmp

Filesize
1KB

MD5
89ff4418b3e444a5c3c0eb039d56f047

SHA1
4040759865539aef58a8904c6ebd0761b4e326b8

SHA256
ba88a83420e9e2e032bd03463f7ad7c1a311507bf29ebefed97ac5d8553c81fb

SHA512
d68ae8d80b285aeb00945f86473537d89e6883372675e2ceec2269a4c28ad93c672a7b7c9bbaa220475bb09e9edfcade6c7834d89da3b51c897f6405e7bd6e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Filesize
4.9MB

MD5
5b72bdd9ce48384dd0ba54da5f7f25b7

SHA1
7d0e7082e80632ef6bf215190fceccc9cc4e8557

SHA256
d595638f180e98368cf12e9499d22f05dbb7ce4fb8bebfd51dc3ea723b7bd372

SHA512
42f6ebd4dd4c9b2c6abbdf5b7c6822e1845dd44a198300f3470ff7518b129548c1c4fa10e3570157ed61654ec4e741ae6e76cdc18633129d4adcb5c26ee42f1a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\vsdmhzj

Filesize
37KB

MD5
4f4cfdec02b700d2582f27f6943a1f81

SHA1
37027566e228abba3cc596ae860110638231da14

SHA256
18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

SHA512
146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

Download Submit
memory/868-4-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/868-65-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/868-6-0x000000000C650000-0x000000000CFEA000-memory.dmp

Filesize
9.6MB

Download
memory/868-5-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/868-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/868-3-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/868-2-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/868-1-0x0000000000390000-0x0000000000D56000-memory.dmp

Filesize
9.8MB

Download
memory/1352-22-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-26-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-31-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-28-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-20-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1352-12-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-59-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-30-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-14-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-16-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-18-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1352-24-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1488-140-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-44-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-135-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-133-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-46-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-48-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-50-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-52-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-54-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-134-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-66-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-57-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-42-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-137-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-132-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-136-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-139-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-138-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-103-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-111-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-109-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-113-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-107-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1488-141-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1956-35-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-131-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-40-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-41-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-58-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-33-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-34-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-36-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-37-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1956-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1956-32-0x0000000000400000-0x000000000096B000-memory.dmp

Filesize
5.4MB

Download
memory/1996-72-0x0000000000CB0000-0x0000000000D80000-memory.dmp

Filesize
832KB

Download