ratty | 21810e5c5329762599cdb396feba7c560e42808f11d7eda6ea8afcc0d3d1cd1d

Analysis

max time kernel
135s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Size

332KB
MD5

c6f19bd285ac0c699435b607a163bedd
SHA1

959fd4aa99f9550359eeccf5770565fb0503104d
SHA256

21810e5c5329762599cdb396feba7c560e42808f11d7eda6ea8afcc0d3d1cd1d
SHA512

96be9a0c64c27cca97b690e9b8e07db114271b7888b4acacf8aed0a89750ab6fd967e48cd277abe3e359726af1f094e8c33b6b4e0b4b5561559189e8577ca708
SSDEEP

6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+Ww:JZNNNzbCClCA+jp02GmWhJnav5jUj

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

resource	yara_rule
behavioral4/files/0x0009000000023cb0-14.dat	family_ratty

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar	java.exe

Loads dropped DLL 1 IoCs

pid	Process
2992	java.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar = "C:\\Users\\Admin\\AppData\\Roaming\\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar"	REG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3824	REG.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3032	WINWORD.EXE
3032	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
3192	msedge.exe
3192	msedge.exe
5364	identity_helper.exe
5364	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5080	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
3032	WINWORD.EXE
3032	WINWORD.EXE
3032	WINWORD.EXE
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
3032	WINWORD.EXE
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe
2992	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3824	2992	java.exe	87
PID 2992 wrote to memory of 3824	2992	java.exe	87
PID 2992 wrote to memory of 1588	2992	java.exe	88
PID 2992 wrote to memory of 1588	2992	java.exe	88
PID 2992 wrote to memory of 1368	2992	java.exe	89
PID 2992 wrote to memory of 1368	2992	java.exe	89
PID 3192 wrote to memory of 2664	3192	msedge.exe	105
PID 3192 wrote to memory of 2664	3192	msedge.exe	105
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 220	3192	msedge.exe	106
PID 3192 wrote to memory of 2084	3192	msedge.exe	107
PID 3192 wrote to memory of 2084	3192	msedge.exe	107
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108
PID 3192 wrote to memory of 4832	3192	msedge.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1588	attrib.exe
1368	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar" /d "C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3824
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
  2⤵
  - Views/modifies file attributes
  PID:1588
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
  2⤵
  - Views/modifies file attributes
  PID:1368

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MeasureCheckpoint.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff753746f8,0x7fff75374708,0x7fff75374718
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17841154624990721588,5895320620192380082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff753746f8,0x7fff75374708,0x7fff75374718
  2⤵
  PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b579a6a96a49b95e55d285b7e2890a88

SHA1
e4e48c82dc4dfe2958e942bc2f857712500eefba

SHA256
fd0428f16ace5ff6adc1f25bee0c365ce3de338081cc07cc517538144443cb98

SHA512
3af6799a680ff04c3800ac4ae93a06dada247a5da95f97d930ae0501f8fd35b40cc4001b053abfdae0fd37c98d9bdf1311770e5875a70efe8ee4d298a21ad5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
612B

MD5
3d4c517bcacbc31441d2f26501c6d5de

SHA1
5c2a1454129f9279ccc48f42f4026023a15cd454

SHA256
6608091e69e42dfd94329ab92ab8ebfa7511eeca794accb92bc04095a53b069a

SHA512
ee55ec6e691e36c175409f94d6db06f76d86af26b7b18cc21962fa0361978cc23b9247f7b1e9711ff1ea219d06bc689cf53898d225eb577003f4db965fe22d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a1a8cfc62bdd7c284eb112171c072f2

SHA1
acfcb60b4184a1071d22be558a69ffa8ca1b53d7

SHA256
51927cdb54afa69b13cde7c19a6a4967f87c9438aa8c220eec24a9a936849a9c

SHA512
480c85d61ebffe017532ce3174786433df358d9fb24fb31fa0904a280003818bd7e6eb06a9c95d9ba9cd97af1b20973afd9a0c19ea257a8694998403990d6731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
072fd3ab74f4ab250d016412980c93de

SHA1
a0d3786962932489b098a531c699bb68abcd0313

SHA256
f123d738994f96d411b436fc1ad78eb231872c6aeaa746a37b783ae84ce5dd4d

SHA512
b11623c46f387703b4cc393d1a08e55ab80c4282ab473d959b8e98b489fbfeced011f75391b94906590794f424fee714cb84ecf1fe0bf58f896f816196b6e95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca3667fa63528768b9dda908a7b03468

SHA1
f590da744b09273e50d40bbcb60484bfa963daca

SHA256
6f276211bdb54b7a76edc0de9c188ab0c216947bfee42041374b980833118aec

SHA512
e9f0fbce81b1e698b9e8c1ab239db288c03b97465b31b062a3960fcaf3289b69d23415fd9ad6acec0d547d2f2009cf4f8fe66febd1abef423129741127621791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa8f8e12de369b492a693881baba4a37

SHA1
d9cfe68fc3b3d054fc272e5ddfb74a178c06dc8b

SHA256
5e63ee022f7c9b0445d6c3a581e231412bf54c864a3227c2db13834c1c2649cc

SHA512
763034916d390d5626806d0cd976d2faf437096e9c7b828ed82c53a3b969e04002e45e5d1b1287e66c920b1fbbf686e728497bb8651fa9f57fc1214eeb144971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
87210d3a6e67310ac872170e939af50d

SHA1
a5995749a25659e4bab6e233eefe38074885d086

SHA256
651a04258d3733f65a660878e687c0d4a1d9a871bbb3f812aa654442ad2c2340

SHA512
90a5ac229734de38dd1b58b66da3bd1444dd8c67fde063f3abef6894c46fe0c725cc403d0941764785e24534435a9b5a7cd786bcbacd89c5ba97ec21d2f2b2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590258.TMP

Filesize
538B

MD5
5934588794c8e9534e80a3417823331d

SHA1
68f695a2dfd621fb471afdb2ca08fd036c2851dc

SHA256
ec91ef73df5221b5f3bb060be6dcd62a579531ce62490d8fe3408a16a3e38d2e

SHA512
d3ce94539fa2a99a0ee564ac9d1f8d329c1828088bdc3df64a0624433bb54472466581bbb186cf3ec08173919ece87f25eba7e1e0917785b506a6b5f5559cf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9635aa3fc8d98b0f7851151b3de96517

SHA1
79cb2087eb8a702435eef2ba6acb090bfa700dbd

SHA256
6d72e8dea2322e284a1fb1f6a058217cf3e79afba1c9ee122c20065b2b754828

SHA512
51b60fd2c324caafadd13726f56d35bae4b1e9f2996d2dffed43dffae8de921812f3f537f9dd5dca6a40af29994d0851e15f23de37125c775ec8a1e4630e0ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
799e482a42771a9330fbd2dd0a09ae5c

SHA1
71c62c3ce04bf8b10f00912d1b356daed56a6c8a

SHA256
fd05233409662b71e05cb33cb9ae8edf6f5bbae50a0e5b4201d58e16c9c8bf83

SHA512
066097fed5e3bcabf1d00ab6ee328d1a9190b2ce270f3023aabdd1b8c9ac0846495a8ac0ae73b7e94c27aa6dd22641a58edeb1b9e8aad7599e9a26f60f655929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
91cca3f2ef5bb641730b1d275088a905

SHA1
b19c5e06e43ff2f72f9c6a927fd6ffea37102d73

SHA256
c2a47a5120c4508246b7d4bc5949eca3c9e5fdec261ceee2444aa575ddede154

SHA512
3a27d22cb01319522e89eed343637f603446bffde271826b155883fe47583c73874beef6e6adf666a0ae597f6702ab0fab561b40836138ab7ba491e5f86822d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
938eb1d842d78cd0ab3a9de04e391b1d

SHA1
a4425874bdb1bd555dd7c09c6c9011f68cdbdd8a

SHA256
602fef5c0c0f036e54c3c2f61dd257897b3694950d76defb1068be5f39909487

SHA512
9aa6bc724116aae70b26ae83a2f8a0e6c65517f31991f43864bb8b04abf12fb5667ce87bcf1a6d71ed49491a5616883aaaecf5ad7dd914296e74934dcabd3e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1139191558890145284.tmp

Filesize
5KB

MD5
e40efd4f45b562a8aa2f743cf0ae2fd1

SHA1
0546aeceec25f9398ecc37b833ba8925383ae19b

SHA256
b6cfee2a186341566d874a53c3700418202fd36f18e7cd21c552dce70b761917

SHA512
6470c7131a8fe8417ebdc2ca0d0c8dcc13de967eee0fa1b1e2e954249a3050af9060cae2f7d3b0acba0584950e54abe4dd0777034dbef85002967f746945a003

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1500957354300914771.tmp

Filesize
2KB

MD5
2dc3e52be687a70c691c5cf631d006e1

SHA1
188d24cabfb2445544bd456a3c73e48307124107

SHA256
d078c8ed44569222b7df9bb37286a70aa50ff3d1e59111a5b548b38322d87b06

SHA512
49747fd1ca38ab3c8aaedbba958b0dfddeb61af2fbd480c8ab589cf952abecd3508bf89b07c69b475ccf872b5236906fe09452292727ca2b49ab675dc84fc622

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1637220787266544419.tmp

Filesize
2KB

MD5
e535e8dce3a6644dc2b274230c47d3d3

SHA1
eb7d464620d0e798a17414488c51954282b87b70

SHA256
b00a0385134b94961ff57d526541b9ec26d0e62a3007c9da81f8c5cf2f2643b7

SHA512
541c296e772fa9f5c4459b3cb6997e0237b6fe4e03c85d4a1013f0ec2c734c8a5966ac225f6707d70b09da37acbf0d795c3ac5450cd09cd7d6e5ed44de406538

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1954305117660166454.tmp

Filesize
1KB

MD5
aeb84492eac4258cf82e3fb5189e8638

SHA1
124ca9eb561fc1ff608407c6a3faaa4dd75976f5

SHA256
4d5d384acb29f2c37a9cbd74e0cc1950f91fa3edd37795bdbab422159e6d4562

SHA512
96e269123f605ebcee3cab1c5437c8cfb5fd4387bd85598b71f701beda92458ac388f836aab37ea03af59686a857d2358cde76b77490576d74fa63adc988eb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2061311629084862628.tmp

Filesize
7KB

MD5
d34aed4c5f76b8f2881f168ced0fdfd9

SHA1
0f4da6563b04942546a4fc2cc3a93ef946b11292

SHA256
097fc6667497046158503440480c66fd30a5c65fb0f5c7413b82fbaa24f65743

SHA512
79f91f0e176eade6f5e042f1e1b31ad9a0f1fe96ba3a0688bd5d43b01d1248b19a3a3ce63bed13ac1c5214825ec11e0132c59b531264bc9d65af74ff6bdde6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio226570336954998913.tmp

Filesize
2KB

MD5
35a41e73f2957b53c31da3fb50c515af

SHA1
32732c742bfd8dbcd5524b99ba2070d1c529305c

SHA256
238fc37173c67bd68942c2b433e6f5a785e598f1022573e6fc9873e465142b78

SHA512
ba3299231d73349dc0cf7dee3feda40d7af4c7f04832a1528ee43c7b0982a517d9b07113891abc6df90c0240a5c9d0417cef29f0d6b0078a3ea711180588b436

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio3611534982434201402.tmp

Filesize
1KB

MD5
0558991932d3d644d2cc21712bec9f3c

SHA1
a12789d909655d79870c7011fd45fa6e518451ea

SHA256
3032533aa7152cc502fa5dc88c5a1112129dd68a6d1064f74cd22387bd6e45b0

SHA512
bf659e40dac6d2e35b3af85c620cb7b8088530d13ba4d8bbec483c91ec3c3135990972f9e23b712e6ebcacb2adda3ae3c1f8bd17c389ddb257c5cb9f93755881

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio39157923413834806.tmp

Filesize
1KB

MD5
3cdc255950081c803e3caf1e0d7b677f

SHA1
0fb5b72a2c1142e9cc6c85ba8dde48fc361a2356

SHA256
efbbf2b6a80f7fe5ba83ec8c4c5f8b89227a0090679d6a07442f1b91e4908641

SHA512
186e12db0c033547d6e7c020a4c4e4c8120bc5f614c3150331f7ecc154fb1f5e62716130ffdf5fd19af5d4de89d1c529425139c9f2c546b19915a9fa28202197

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4170282011219361770.tmp

Filesize
1KB

MD5
e421708f5a68a7395d62fb602f1bbe9e

SHA1
a7ddba98e8a0535d79afa2fbf5a7f87871594d85

SHA256
1e46088dd1ec8e675b6c04bd1d352740a0569659468eaa61dd9c452cbd90a821

SHA512
b43debca4ff5cb79118a0eecaa9190de875eb2fd762502780119aeb107977f745b25dfb25d5b2bab62b1a69eca92fc56f9b23bdb33db7b8f773f66490292bf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4258186974362956027.tmp

Filesize
1KB

MD5
7d0f887cf406e33c773e7b1593ed6615

SHA1
89d381a717fe038deb283ffcc787475f1d818623

SHA256
9e4fa5cd2bbf938cf550b28348ec87a6c9fa713254e5590fe171aa13fb12efa3

SHA512
bc90c11adf92a6e98b19861b4b52c87f93d4fdad798d0765620c435f9c32916a14b7a458ef32c09a1555fa625ee96728b572cd87b7716569cf71e4ba45dbacd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5038584144154035259.tmp

Filesize
2KB

MD5
c245b237c2c0b40f3716f2b310192d39

SHA1
68f401851a809c63c5fca5d4b50f5bd247b3d360

SHA256
2cf6d2a0b364777edfaaed239ab21a16e5b62747876605a4d2716cf3a8ca48d2

SHA512
6cd694263759d2a72d07a42887ed3d3b407ba7b2f85023bc1ce65935f1bb0ba44fe60c21663a89165a5305d8057bfb0f8869b88cb3b4efc8968c2061ae56d531

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5326956784610221570.tmp

Filesize
1KB

MD5
2e03e5601739082aa7405d598955dd4c

SHA1
04b4a15c7aa19ce755b6acaefffcf12b34017070

SHA256
5430976fd16f0d0fb6b4657f5b85651661e8c353d00d9be36c90ac095818ea80

SHA512
4c33dd97ec5c5b5b11309a988cd8ee79f3c02d04e7609ad0405dff9ce166c803c05c3e343ccaca1c90ad3172c26238e00a542874574b92e7222e37880e44ff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5746111419142789641.tmp

Filesize
4KB

MD5
61a2607ef10d4d69174100433378ca09

SHA1
fa393237ef70fb4d20cadf3bd2695c21fbc2ec79

SHA256
a3b0b38a976c10b2a6185031007bb02a1b3b5901482eea8ba972097f7306cbbf

SHA512
86337dbc8b4000453d7edd9b21e49b91e2789d4e11bb3492a9be1050ceb0a31c91c2f8ff96e77797520a5437f6e5fc426c8b4606a5fc06f7a4c49eb7c16b6fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6085334395602186519.tmp

Filesize
3KB

MD5
98f46342f8393321f8306ca07370fe85

SHA1
c272ea8534084519a0eb20214d2263670233f260

SHA256
c15e8179178448ad7c22bc45f0c542fe171708439553cbbd9b54a6d82492a4c9

SHA512
a74371d5bbe9c52240eb0f7e820bda09c988128e04318c800017e768e5849572faf461d096d0fb6339ceef231a8aee440f800bf5e3c51c8b717b46062536b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6307943268394971202.tmp

Filesize
3KB

MD5
673d8deb44a03bc2bdea484664cdd7ce

SHA1
4a4c314667dfc1605d02869ae7af724b40b10efe

SHA256
1495cb03487f812d2a5ca567f21623151d35a98a2fb091034f52ddf99412fdac

SHA512
bf927151b4af5831f6da39bf412ce8e492972f6390af5506f64a091481099786ae6bc3efc79c6e8f41389189f61f70f2419c9511df84f29cd219fd5705fe50c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio65071083439838870.tmp

Filesize
4KB

MD5
8464ed955511b64afb7b2bfda0cee41b

SHA1
f784d1c4f752574820dad6c5d6c8aa79ae143d13

SHA256
b1335c0b4bad108d9fdf3a47d59c8b6c747d51400468f5bf827f8a0e3559890a

SHA512
96a0ecca7518de5794c965ba880b668438f77a4576026adf16ac61030b60d6f7438a5fffd12cad08f6ce2dd5772073d664e2c5500386828f774ae261596cd8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6764493196011435256.tmp

Filesize
4KB

MD5
b08afaf16169231b78602ed1a800b916

SHA1
7c10e22ed91a1a406420bd506e7c3ddecf367d12

SHA256
0570ccbc64f88271482820373e700bf5ffb36fafe60a28060f14ff6dfa76595e

SHA512
18344181ed224cb9db8a6311d7f64a98135fa6e9a5dd10f0999b0894275afb3c4ab37eca61ee05712a7180c9eb4214a095f4c19066569da67bcf8f65bac8c399

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6774879548611492622.tmp

Filesize
7KB

MD5
65101b433ce7d77176ec180500c29a5c

SHA1
33964a64816a352b49b2aab34fe06810ba538cf1

SHA256
5c9754f7ee6f8fb954516b3fde4077e4367f5ff5baeb2f9cb607aea325ef701a

SHA512
6b63f9156933452de0aed53ad5ceb9f9691937c0b0a4c5d6be29c9b62504eb0e5a78c20f9100844a7fc7d2412e10d7c5cba7160a910968ea4b206b5b197dd6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6939728585461675659.tmp

Filesize
1KB

MD5
6eb1106aafdfe4e9baf28c9b1570c6d2

SHA1
1f543f198affa6f1a5ac2c798aeb7582f68ad606

SHA256
c06f357d613bcfc7a240dd83ebb73e00f7d199317f3d7354c2683248e984eab2

SHA512
748adcda2f36636033768825ad1abcbab847cd8abdd63cd41868ba82244ea5754f31810c75ced19e114fd23ec2b9bb6b5b0740a82c77cabaf13fd734f561408f

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7316585938149902194.tmp

Filesize
3KB

MD5
7e20bb657ecc40b6b9f6ecebdc7c70a6

SHA1
b8968f3263207949a2e1bea303f6f9853cc776da

SHA256
270d279153a1fe5fc138722fc0c82ae88ae6dde07d94e7dbd1a393d577d39dee

SHA512
9bcfaa33cd6a6e9a2fe7b6a5de57993c21c7caa1576376069e39ceaa837bdf849ddaa7433bdaf42e8f8db3b11d24916f9b8e02975b327ebe0781b141dcf14461

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8392185678075795181.tmp

Filesize
1KB

MD5
085d84f2e28b2aa727823d9ce9aeea8d

SHA1
9bf3a676a076dc2ab53a649dac5d81dc6922ad65

SHA256
b38aa474cad27626d24c1198e3ceefc04dd1d737efef3167e7cb3c5d5edd2fae

SHA512
cfe7388f441d158b6b04225e2bb909a4c38506728b5af4b6352af6ef5ba03f3d1667e2a86e2a2bc940ba981df9e71bf912cf79708967905df0863557684eb66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8409046702797576129.tmp

Filesize
6KB

MD5
90713e61ba09298465c20b1f924bb412

SHA1
0db96781a7f563304e2931ce4f2c81a7b5120ed2

SHA256
5cae5caad27347b7d69e614b29bdfd7498fb87f2b3d3564d3e492f9b0ff4dab9

SHA512
887fda44110b62a0f53d3e7beeb39cbc311730e47ce9c545b8a0eadf42df10890a3f3bac1319c4b940c7115f9ada52bf2853f7ce26d8fb821b5c43acbfabda24

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8606753405480960721.tmp

Filesize
8KB

MD5
bc4b8cb5e4774c137b42d62b552685ef

SHA1
5d17b95a6f3a0bbe9359cf950c733ff4d9fb28e4

SHA256
2ce0654e32fcdb0a34b7717868c242cbfb76ffe3d52f1a87491b6c423c3b37f2

SHA512
45e91d29a893d9b4b8ac40a211619014dbeba67a0ed87bc4016cbf86411e6178b3888c3da2b605f891556b00ada97f52b2e2255f7fb04f65003180b488eec756

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8618533082269540475.tmp

Filesize
1KB

MD5
6e05d0fb7842749025807d1859060194

SHA1
06b1a8616baf994d7f53779d05e532a71ef38dfe

SHA256
2792534c1043de7bf9ca230a858b0ea3314ec9d5d1d03b54209d5e7004ce74c7

SHA512
2340ba8c4870dabc1c47d86a3d04b22ef4d9d67b4c81fb58f768ab1a43d1a0c33e4dfb683e983e3fe433bd3c1a851ad28e4e3ca46b5fc30feb42b15c12880cae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
399B

MD5
08c4bf8bbe31065b1469d9355c1c2df7

SHA1
cf3c0eb88a889a3bb66a1d21adde078b9237c387

SHA256
a4cffdd0ff8a86b7a7f17e59ba7795854174f0537a534f02722aec8133589219

SHA512
e94874b3dc6bede82354048a3d452e69759b120851ba5dddc335e3cc6438b741ad671a42765bf5c6ed4cff1ab0348d5c0d34e3a27aaa2aa28a2c46bb4cab74a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar

Filesize
332KB

MD5
c6f19bd285ac0c699435b607a163bedd

SHA1
959fd4aa99f9550359eeccf5770565fb0503104d

SHA256
21810e5c5329762599cdb396feba7c560e42808f11d7eda6ea8afcc0d3d1cd1d

SHA512
96be9a0c64c27cca97b690e9b8e07db114271b7888b4acacf8aed0a89750ab6fd967e48cd277abe3e359726af1f094e8c33b6b4e0b4b5561559189e8577ca708

Download Submit
memory/2992-83-0x0000024A00310000-0x0000024A00320000-memory.dmp

Filesize
64KB

Download
memory/2992-37-0x0000024A00290000-0x0000024A002A0000-memory.dmp

Filesize
64KB

Download
memory/2992-2252-0x0000024A00270000-0x0000024A00280000-memory.dmp

Filesize
64KB

Download
memory/2992-2253-0x0000024A00280000-0x0000024A00290000-memory.dmp

Filesize
64KB

Download
memory/2992-2254-0x0000024A00290000-0x0000024A002A0000-memory.dmp

Filesize
64KB

Download
memory/2992-2255-0x0000024A002A0000-0x0000024A002B0000-memory.dmp

Filesize
64KB

Download
memory/2992-2256-0x0000024A002B0000-0x0000024A002C0000-memory.dmp

Filesize
64KB

Download
memory/2992-2257-0x0000024A002C0000-0x0000024A002D0000-memory.dmp

Filesize
64KB

Download
memory/2992-2258-0x0000024A002D0000-0x0000024A002E0000-memory.dmp

Filesize
64KB

Download
memory/2992-2259-0x0000024A002E0000-0x0000024A002F0000-memory.dmp

Filesize
64KB

Download
memory/2992-2260-0x0000024A002F0000-0x0000024A00300000-memory.dmp

Filesize
64KB

Download
memory/2992-2261-0x0000024A00300000-0x0000024A00310000-memory.dmp

Filesize
64KB

Download
memory/2992-2262-0x0000024A00310000-0x0000024A00320000-memory.dmp

Filesize
64KB

Download
memory/2992-2-0x0000024A00000000-0x0000024A00270000-memory.dmp

Filesize
2.4MB

Download
memory/2992-145-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-75-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-314-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/2992-2264-0x0000024A00330000-0x0000024A00340000-memory.dmp

Filesize
64KB

Download
memory/2992-323-0x0000024A00330000-0x0000024A00340000-memory.dmp

Filesize
64KB

Download
memory/2992-327-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-2251-0x0000024A00000000-0x0000024A00270000-memory.dmp

Filesize
2.4MB

Download
memory/2992-11-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-18-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-33-0x0000024A00270000-0x0000024A00280000-memory.dmp

Filesize
64KB

Download
memory/2992-35-0x0000024A00280000-0x0000024A00290000-memory.dmp

Filesize
64KB

Download
memory/2992-42-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-45-0x0000024A002B0000-0x0000024A002C0000-memory.dmp

Filesize
64KB

Download
memory/2992-98-0x0000024A00320000-0x0000024A00330000-memory.dmp

Filesize
64KB

Download
memory/2992-96-0x0000024A00310000-0x0000024A00320000-memory.dmp

Filesize
64KB

Download
memory/2992-79-0x0000024A00300000-0x0000024A00310000-memory.dmp

Filesize
64KB

Download
memory/2992-94-0x0000024A00300000-0x0000024A00310000-memory.dmp

Filesize
64KB

Download
memory/2992-92-0x0000024A002F0000-0x0000024A00300000-memory.dmp

Filesize
64KB

Download
memory/2992-90-0x0000024A002E0000-0x0000024A002F0000-memory.dmp

Filesize
64KB

Download
memory/2992-89-0x0000024A002D0000-0x0000024A002E0000-memory.dmp

Filesize
64KB

Download
memory/2992-67-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-86-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-85-0x0000024A00320000-0x0000024A00330000-memory.dmp

Filesize
64KB

Download
memory/2992-44-0x0000024A002A0000-0x0000024A002B0000-memory.dmp

Filesize
64KB

Download
memory/2992-95-0x0000024A00330000-0x0000024A00340000-memory.dmp

Filesize
64KB

Download
memory/2992-2263-0x0000024A00320000-0x0000024A00330000-memory.dmp

Filesize
64KB

Download
memory/2992-88-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/2992-66-0x0000024A002F0000-0x0000024A00300000-memory.dmp

Filesize
64KB

Download
memory/2992-63-0x0000024A002D0000-0x0000024A002E0000-memory.dmp

Filesize
64KB

Download
memory/2992-64-0x0000024A002E0000-0x0000024A002F0000-memory.dmp

Filesize
64KB

Download
memory/2992-60-0x0000024A002C0000-0x0000024A002D0000-memory.dmp

Filesize
64KB

Download
memory/2992-59-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/2992-58-0x0000024A002B0000-0x0000024A002C0000-memory.dmp

Filesize
64KB

Download
memory/2992-57-0x0000024A002A0000-0x0000024A002B0000-memory.dmp

Filesize
64KB

Download
memory/2992-56-0x0000024A00290000-0x0000024A002A0000-memory.dmp

Filesize
64KB

Download
memory/2992-55-0x0000024A00280000-0x0000024A00290000-memory.dmp

Filesize
64KB

Download
memory/2992-54-0x0000024A00270000-0x0000024A00280000-memory.dmp

Filesize
64KB

Download
memory/2992-53-0x0000024A00000000-0x0000024A00270000-memory.dmp

Filesize
2.4MB

Download
memory/2992-51-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/2992-48-0x0000024A002C0000-0x0000024A002D0000-memory.dmp

Filesize
64KB

Download
memory/2992-41-0x0000024A72650000-0x0000024A72651000-memory.dmp

Filesize
4KB

Download
memory/3032-120-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-429-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-110-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-115-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-102-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/3032-103-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/3032-114-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

Filesize
64KB

Download
memory/3032-112-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-104-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/3032-105-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/3032-100-0x00007FFF940CD000-0x00007FFF940CE000-memory.dmp

Filesize
4KB

Download
memory/3032-101-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/3032-118-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-107-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-108-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-109-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-111-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-116-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-117-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-119-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

Filesize
64KB

Download
memory/3032-113-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-121-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download
memory/3032-106-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

Filesize
2.0MB

Download