asyncrat | 8f6baf69e7e047012b20299cd4d3bf4f86eaee8c7f42fed6cb4a33b79ef51dd2

Resubmissions

11-11-2024 13:51

241111-q54elszdrl 10

11-11-2024 13:41

241111-qy5zvstjer 10

11-11-2024 13:36

241111-qwhrjszdkn 10

11-11-2024 13:30

241111-qr3k6azcqp 10

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SunlightBootstrapper.exe
Size

1.8MB
MD5

7c4f1852448b6217ca92deecaceb6247
SHA1

23f8b47a3a5bbcadb7d01dd8a727e0c2c48c0848
SHA256

8f6baf69e7e047012b20299cd4d3bf4f86eaee8c7f42fed6cb4a33b79ef51dd2
SHA512

4ef4281529f2159761f11ad890da0f7d79e2513019a1fd717b312ef2fb0ef9d01a54cb07561e40b0c12edd46089a8228f977ebb2ac109939bdddda57fad2f812
SSDEEP

24576:dsmUYlIZ2RBbEeUhk7Dz6rdnkYA1LUqBFJJCZm4E6+eQ:emUYlIckeUAGnmLtFaZ0pe

Score

10^/10

asyncrat default discovery evasion rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

109.87.212.225:1337

Mutex

oIyMus9FxRxA

Attributes

delay
3
install
true
install_file
dwm.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	disable-defender.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	disable-defender.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c93-6.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SunlightBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	tmpA41F.tmp.com
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SunlightBootstrapper.exe

Executes dropped EXE 6 IoCs

pid	Process
3424	tmpA41F.tmp.com
5108	dwm.exe
4648	SunlightBootstrapper.exe
1612	tmp873C.tmp.com
1912	disable-defender.exe
5768	disable-defender.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	disable-defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	disable-defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	disable-defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	disable-defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	disable-defender.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp873C.tmp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA41F.tmp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2724	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 103906.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 46387.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3280	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2984	vlc.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
3424	tmpA41F.tmp.com
4876	msedge.exe
4876	msedge.exe
3368	msedge.exe
3368	msedge.exe
3800	identity_helper.exe
3800	identity_helper.exe
6016	msedge.exe
6016	msedge.exe
6108	msedge.exe
6108	msedge.exe
1912	disable-defender.exe
1912	disable-defender.exe
5768	disable-defender.exe
5768	disable-defender.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5996	sdiagnhost.exe
5996	sdiagnhost.exe
4024	msedge.exe
4024	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2984	vlc.exe
5108	dwm.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	SunlightBootstrapper.exe
Token: SeDebugPrivilege	3424	tmpA41F.tmp.com
Token: SeDebugPrivilege	5108	dwm.exe
Token: SeDebugPrivilege	5108	dwm.exe
Token: SeDebugPrivilege	4648	SunlightBootstrapper.exe
Token: SeDebugPrivilege	1912	disable-defender.exe
Token: SeImpersonatePrivilege	1912	disable-defender.exe
Token: SeManageVolumePrivilege	4244	svchost.exe
Token: SeDebugPrivilege	5996	sdiagnhost.exe
Token: SeBackupPrivilege	4444	svchost.exe
Token: SeRestorePrivilege	4444	svchost.exe
Token: SeSecurityPrivilege	4444	svchost.exe
Token: SeTakeOwnershipPrivilege	4444	svchost.exe
Token: 35	4444	svchost.exe
Token: 33	2376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2376	AUDIODG.EXE
Token: 33	2984	vlc.exe
Token: SeIncBasePriorityPrivilege	2984	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
2272	msdt.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1912	disable-defender.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe
2984	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3424	1680	SunlightBootstrapper.exe	86
PID 1680 wrote to memory of 3424	1680	SunlightBootstrapper.exe	86
PID 1680 wrote to memory of 3424	1680	SunlightBootstrapper.exe	86
PID 3424 wrote to memory of 4308	3424	tmpA41F.tmp.com	94
PID 3424 wrote to memory of 4308	3424	tmpA41F.tmp.com	94
PID 3424 wrote to memory of 4308	3424	tmpA41F.tmp.com	94
PID 3424 wrote to memory of 4364	3424	tmpA41F.tmp.com	96
PID 3424 wrote to memory of 4364	3424	tmpA41F.tmp.com	96
PID 3424 wrote to memory of 4364	3424	tmpA41F.tmp.com	96
PID 4364 wrote to memory of 2724	4364	cmd.exe	98
PID 4364 wrote to memory of 2724	4364	cmd.exe	98
PID 4364 wrote to memory of 2724	4364	cmd.exe	98
PID 4308 wrote to memory of 3280	4308	cmd.exe	99
PID 4308 wrote to memory of 3280	4308	cmd.exe	99
PID 4308 wrote to memory of 3280	4308	cmd.exe	99
PID 4364 wrote to memory of 5108	4364	cmd.exe	101
PID 4364 wrote to memory of 5108	4364	cmd.exe	101
PID 4364 wrote to memory of 5108	4364	cmd.exe	101
PID 3368 wrote to memory of 4456	3368	msedge.exe	106
PID 3368 wrote to memory of 4456	3368	msedge.exe	106
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4184	3368	msedge.exe	107
PID 3368 wrote to memory of 4876	3368	msedge.exe	108
PID 3368 wrote to memory of 4876	3368	msedge.exe	108
PID 3368 wrote to memory of 4112	3368	msedge.exe	109
PID 3368 wrote to memory of 4112	3368	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\SunlightBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SunlightBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\tmpA41F.tmp.com
  "C:\Users\Admin\AppData\Local\Temp\tmpA41F.tmp.com"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Local\Temp\dwm.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Local\Temp\dwm.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB68E.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\dwm.exe
      "C:\Users\Admin\AppData\Local\Temp\dwm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eae446f8,0x7ff9eae44708,0x7ff9eae44718
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4456 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,8232663873212355061,15067246107862887517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\squirrel.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Users\Admin\Downloads\SunlightBootstrapper.exe
"C:\Users\Admin\Downloads\SunlightBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648
- C:\Users\Admin\AppData\Local\Temp\tmp873C.tmp.com
  "C:\Users\Admin\AppData\Local\Temp\tmp873C.tmp.com"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1612

C:\Users\Admin\Downloads\disable-defender.exe
"C:\Users\Admin\Downloads\disable-defender.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1912
- C:\Users\Admin\Downloads\disable-defender.exe
  C:\Users\Admin\Downloads\disable-defender.exe
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:5868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3681de51h513dh4a0fh9329h74d66ec994de
1⤵
PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xd4,0x128,0x7ff9eae446f8,0x7ff9eae44708,0x7ff9eae44718
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,18223740310801231336,5122204803049292076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1cb78f24h17d7h4cb2h9d11hc7a647f11524
1⤵
PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eae446f8,0x7ff9eae44708,0x7ff9eae44718
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,10654468018702073083,14449686178780633762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:5460

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\SunlightBootstrapper.exe" ContextMenu
1⤵
PID:5932
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWB1E7.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2272

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bhnjw4vb\bhnjw4vb.cmdline"
  2⤵
  PID:2496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB65C.tmp" "c:\Users\Admin\AppData\Local\Temp\bhnjw4vb\CSC66EAF38CEF234B3180F2676325CC78F.TMP"
    3⤵
    PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdmrf4qn\mdmrf4qn.cmdline"
  2⤵
  PID:2188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6E9.tmp" "c:\Users\Admin\AppData\Local\Temp\mdmrf4qn\CSCA24FB641AA0D43D9A85EF4DAC78445B2.TMP"
    3⤵
    PID:3320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oijfw4ub\oijfw4ub.cmdline"
  2⤵
  PID:5028
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAFF.tmp" "c:\Users\Admin\AppData\Local\Temp\oijfw4ub\CSC75902650EF8C442D8BC35DA3FE1BEB6C.TMP"
    3⤵
    PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x38c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024111113.000\PCW.debugreport.xml

Filesize
3KB

MD5
03a00e07b2a92a598dbd6c33a010d388

SHA1
f888e00a01c33c5f917a9fa053347d7c8769dd88

SHA256
9ea2d40f7179a6fcbed7fc21a24d22597a618058cab401f8ddc89c576841c52b

SHA512
92cb45728747d7adcf603b50db85ca1607f7118993a6934e400ac271cd0f6c74c962ab2ea33898577d2cfaf9a6c6c19d3a566810656ed8fbc74a409eef75d9b9

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024111113.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SunlightBootstrapper.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1041b17fe76b2683ed91e32230a8a8a3

SHA1
3846a20b43edbced681ffa6d64883bce38615682

SHA256
73e546d36485636ad0791fb4eba0871499e09348de3d8d0d3bd8c0ea8140a705

SHA512
0c6437afdb1244f69976f7030c8d293cbe0b4c7a9baa2b3da1255019e1e29996534dac0b1a8f6819e6e979b9e365e387081495b96ad0eff794bd24970d00d211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
115277819d277d50eedbb6885c3ea329

SHA1
5289a784ed1407718b337425a7ee8f2244ada377

SHA256
fb435a00b429037d6b293b2c197e45fb9d679cf583e484015eb66e14f268bdf1

SHA512
9e4c4568182b5b5d3cb2c444c0dc2dbc735c84830912aa759fcb2f908afef1bacb62ac0765d54fdadb1783e04c1546f2aa35a5254a1189af2e102136ec761e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2015a1c6a8fce3b8ef017076c982a0af

SHA1
7849dbb58040a726e64c744bef2c45be8f6c7380

SHA256
9d11713c6d4013d0d889a767c77d6f583f57ab615ebea112b664909806d75fa2

SHA512
997dc53e3fa2af2df7410b421d73f787a3da189cca1d1ca7d2b977239da8c54d0151f3893ad2f90795b23bdd14eadcb928c6504c48a5ace051539cff886e1c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6aa6f062e46a1f2482714f5cc1b29ef5

SHA1
edd799c5437aed9696d349d07ac7628d99e16e9a

SHA256
4e1da483f501fb3cbf449a599847492e78ae00aa10db99b7a3da9d6e8e066e04

SHA512
3ea52d9ce0e059a21b20e5225b93c707987b560ba941456dfa9285ed97cd114054462795ef31c6149856ccedd93bedfd46f5e24fa00faa1dced0b52c7c2dd403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a20ac6fe10daf03241799061c897727b

SHA1
99da870f5107a4069bc474ffe87365e7bd0dbe2e

SHA256
2b71c17f2fda38b0c8c522ce588b4afbf4b40d9414359fb02c205330c7c08631

SHA512
c1a612b7567a46ef5ca633062e9dcc2a94c59ded9c5b9f2ce96e4e7ccc15835eca1be3ab9267d7e66cc2a2a2ddd4c434b73479b38185736231fcc51c2562f4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c46f1b0873d94058be2f0a313969b1de

SHA1
92958dfd2a2e5df04983f9065f6a76d1119e6df7

SHA256
1d71bbb346cda7bf63b89308326fc84ae0d03e212ba77df45b57683a404b80c7

SHA512
37e10dbf1d9a3ea8f3ab12a1c5fc8e3867077a4518f5292830a1881c9a2669b6ee928097e6c6df34a1e96249dee11e52952e5fccab160f3cd7cf3232423e2d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0058f9eb49e5c80a03e865e50625674

SHA1
37bbdc35b4cdcd0c58229b6c10ba89668574ce4e

SHA256
ea64f04f55cd42dc5961b826eac9b036e50d2580167b3996abf5b885c66b833f

SHA512
a05af2b34478fe16afa0ee823c92d6c137ebc6e9add6c686fa58c51f609677c063dd74f8d6e215b2236792b35ea7503cba8013b20d1393e9fa1a051ce9144127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8b9f06f8692288a33e878c4db3c642c

SHA1
b5bf177068f4378c828f6f2b6b1d19bdb8a2b3ad

SHA256
5700d80837b23ac8dfb487f37611fc99dfbf563066ef2d1f3a4dcaabd5fb9e55

SHA512
b4361b38d742bab6ca4ef425a32cb64ffc6597e4cbcf1409c2552ecc7203a9eea413fa139f7a3d407356fa91481c155aec92375e0188127fe1591c50b2436ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
14c5822d03dcf781a29ff6625d5c36c3

SHA1
9ec6d19c8244a200b195850443c22eade936e3cd

SHA256
8e3e9c7131d6ecf16a42ed1ae13c63cde31df643c696016f1157d82d4b0b3bd4

SHA512
959025ae6f6d77d4cff79ee40dd16f29eb1cb2895165fa81dbdab71be75203bbf36b2ce695bf08b69c58a0092f9bc379a749590cfb021c2cb377d334b7999f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
acb5c211372494ada63c292c21bc34c7

SHA1
abf1149fb88d7c5c6c60d095b72624bb42fe3704

SHA256
74e5e03cdba187b58f37f38878030928d94918429ef2dda95f75e4129e6c6612

SHA512
25f1440e5e5efaca27e72bd1cacb739db3823a4ede7e387770811c61588abe26af5ab7b4c6222dc5ca5efe87abc5eefd70af14e0765dfdac8bdcff7deeb4afff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f52076644c527f28b021323b0f71f64b

SHA1
722834f3eac8f0aad7eb4f1cc0246575c92b8c6d

SHA256
4c0f9adcf8c887dcea8f6c9ec5f66a508e18aac7ce0d68fd94ccfe803b6f3792

SHA512
d261864defa5b67338eeb5673229f269cb768ec19a4805dab54251de91f7e5e634e692edac3b66e4ada48551ff53a5df47c15cdac165ad80123b0bf832e4ee57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12a28284c0866559f1be8287d7acce64

SHA1
0a1c8006f8301e79dd4b8f38960bdc8466050a7d

SHA256
c5fc9d322c69b23717c4bd38744f328e22fee3b11143a33e7d31447b0be55871

SHA512
c8f10e1d1f742316fb64bd6064a749a25fefb3f70ef7a86136077e7e1cf17792e82cb53022141627a782a7ca750f7c7a4df869556f54dbcab3c6494f335429f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWB1E7.xml

Filesize
738B

MD5
cfbe8b4abc6aa4bb6556249bc04c0114

SHA1
6faed53fb9490ed52fadc1086f80a444ccf4b41c

SHA256
8ada1e32323d9e10311a1128ab464f8422e184d4c210d0f78463fcf6b995f646

SHA512
465a8bf151128f06dfc6a110c1ba10da53476038004353ae6ff90611e41b41bbf41a404006de5fec1e2a93ed12088b8c573ee8b13507854b7f9e76dbe174a361

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB65C.tmp

Filesize
1KB

MD5
40ad31c733bf6d512e84249f621d4777

SHA1
363a8f15e1712e790a8d6ad356395d4a80ddc424

SHA256
5885aeb3e376ac87b2ecef0ea29c144fabe3b7fdbbb47a5a7fed160c653d33e1

SHA512
cee6563452734f9dd202a819bc565c54c89d5fb2cd181ed95081b5326e99e8f6002a8ec3de6c43f0e42c84a24750ab8019696f210e8bbf96387c6acf893f98bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6E9.tmp

Filesize
1KB

MD5
698820490917637f09e362b07bff68c0

SHA1
a716303f9d8141ccebd987c0df9f97b2559e1222

SHA256
39f1e95ba9db763c4a89dbc6d81627eecbae68f3e8bb85067e719a95d240f3dd

SHA512
6136f94bae1b9d7e35ce7ab773ab519248a63c262e6ba2416173f646584bb682c11a8bf566aabf56deeacdde6566280fe2f751e1f239792588bd89aaa3284afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAFF.tmp

Filesize
1KB

MD5
f203b9065434dea7d8584b8d2ec3b9e3

SHA1
8676c1659094d4beaccb3803cc63f50ed68095e8

SHA256
faecb02b26f5eef99007c27ef16ab0de94173c44578cab3c1d3226b459278110

SHA512
d34aa3d6b73d0eea13577f8e6b8b5be8bd29fa746ff63d2d7e8aa9ab4645b44828e8ab48271a614d77d551fafa532e7221e1724e5de772338793f93e2f1edcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lruc4k4w.oud.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhnjw4vb\bhnjw4vb.dll

Filesize
5KB

MD5
27ba38eb68ea91c3f49c8d47bb0124c8

SHA1
885c27a45cd193724f9675adc30e6e735cd4ab13

SHA256
db57d120e1912951a0859480d4dcee1bf062eba218396dde6e9c936ef27a9216

SHA512
481827ec8bee2cabccfd3dee624e5aa99bb653c6e43ef451602401ae702e20c30e983dfb45307302269289b0f9387088493967d4dec7e18b249ccb17b7b126cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdmrf4qn\mdmrf4qn.dll

Filesize
3KB

MD5
79d5957d03448fa51001b45ee39d66fb

SHA1
8f3d0c0d8e187a45242d7be49ec8efe23da82bec

SHA256
20f3c0874dd7f9ec0e6e20df51620526880c53cf10bce2db17cba3f5602f3811

SHA512
729519dd00d626dcdae1cb2cb71189e76996a78fcc04dea5e17c3b72a779d24d64b8bde79fac26ec5268291551d4e25d6a279dd1ae5485511822c9c934e539bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oijfw4ub\oijfw4ub.dll

Filesize
9KB

MD5
9b988735f7174192729109dda22b9e32

SHA1
54ad9a73e7ca912dc730b40c6b48f7d7f8086853

SHA256
6a6c844d6ffd1ad1ffe0867ae736e3b2915b181274dc3ea7316deca6bc7a71e7

SHA512
2b3ab971dfd1f129a8317fcbe59ad413309aac0b457a971934da9a15831ab60bca5d00688c632507c6ee36f439bbb5a719ffd8aa417ea6cc1ee9586d718c8560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA41F.tmp.com

Filesize
47KB

MD5
c19fe978050f62a6efa3e92e37099ac5

SHA1
17029ede51032d5809a9f8c9b501de24603d5bef

SHA256
8ff24a5f07daa0a3d30c5482229825037b2ed80580c2a9fc7734ba3b162dee4a

SHA512
9f23ca7704e608e68194e41ef948d01d60aeb8361de24f3984410db7400039b0f13d5f7fc54c639ef646715faafb72ea471f3cb6fe76eaa3682346dd09ad6670

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB68E.tmp.bat

Filesize
150B

MD5
fa9ffec1afde2f5ab9e16dc8a0138d37

SHA1
67a1b8f49ed9e50153735c3b225213aa1b4f53f4

SHA256
55e1352bc267ff410bd063037d13dbb5989a19c9436691ce7ea35d2ade0f3310

SHA512
b6cb08c24b6f5874d4969d72a8d7d48b361e28ef544af7d28f94f352006f9d762dad0d9c7b1c30270bd42d5872903e43f485d0daf5af17f848e362066c40050b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 103906.crdownload

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 46387.crdownload

Filesize
1.8MB

MD5
7c4f1852448b6217ca92deecaceb6247

SHA1
23f8b47a3a5bbcadb7d01dd8a727e0c2c48c0848

SHA256
8f6baf69e7e047012b20299cd4d3bf4f86eaee8c7f42fed6cb4a33b79ef51dd2

SHA512
4ef4281529f2159761f11ad890da0f7d79e2513019a1fd717b312ef2fb0ef9d01a54cb07561e40b0c12edd46089a8228f977ebb2ac109939bdddda57fad2f812

Download Submit
C:\Users\Admin\Downloads\squirrel.mp4

Filesize
1.6MB

MD5
9fddc81f28759aa08a218c734753edb3

SHA1
d45652ca59d916d523605ae4c6b6894b64b7c977

SHA256
1c135587ffa72b2e38398149a569679428666d55f06520d6ea9b22912608d9fd

SHA512
1dbfabc02d6c8128e6f79f6b095c01de16fcb7d1fd52f5de3d0224f8a835dde8bc21326dcf01c5cc33f60dd10cb929321af63fe1e90d92cd17019e7bae03ce3e

Download Submit
C:\Windows\TEMP\SDIAG_ec5a2370-01e4-462f-bcde-af5a32f88c38\RS_ProgramCompatibilityWizard.ps1

Filesize
49KB

MD5
edf1259cd24332f49b86454ba6f01eab

SHA1
7f5aa05727b89955b692014c2000ed516f65d81e

SHA256
ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27

SHA512
a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0

Download Submit
C:\Windows\TEMP\SDIAG_ec5a2370-01e4-462f-bcde-af5a32f88c38\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_ec5a2370-01e4-462f-bcde-af5a32f88c38\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_ec5a2370-01e4-462f-bcde-af5a32f88c38\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_ec5a2370-01e4-462f-bcde-af5a32f88c38\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bhnjw4vb\CSC66EAF38CEF234B3180F2676325CC78F.TMP

Filesize
652B

MD5
0919f216990e30249e7b8296939adb20

SHA1
205e00a6bbb61558a985e0d3fa5f3fcb1e8541e2

SHA256
7fbc7c5f3bb633a213e402508d8ab9ffb91d37d355931042d2fba326a42fbae4

SHA512
27a03e71c130968ff56d91da141ec9e6822652c523284c3fe7a6cf9ef023a87f0d9ae493209a7bff0b745f675c755d82abb69100eb7888593cef2df66b52a8c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bhnjw4vb\bhnjw4vb.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bhnjw4vb\bhnjw4vb.cmdline

Filesize
356B

MD5
64e53ef8ff036ad47ed8c330fe7d41f7

SHA1
4f9de58ebb43fc77afb5543e544b5e97ae7a8dec

SHA256
6c61e52deaa0b55a23225a846787dd1e0fe672065db41de0ce81f359c97d5123

SHA512
ae3ecec40b760a011de9d47917e6c24abd2f8bc8a914aa1ac63044fcaf7967f1d4feca7f05b05cbae10a136ccf28e0876eeecfa071d3bb76b35f0cde358bbfa4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdmrf4qn\CSCA24FB641AA0D43D9A85EF4DAC78445B2.TMP

Filesize
652B

MD5
c6ba87bf0820ca71198df433ee31ad1b

SHA1
0cb9961bc592d0ad5ae29c6afa0368a5f5570279

SHA256
a59bd0013b60ffc5856a85f9215e9b40ee46df622c836f70717af3db9a85a545

SHA512
8e4a9117be0a48d8dba82d614761999bb17a4b554e12b11b5d526c00d3d8ce69ab529217c3171a205dbfa5bc870d92a9f21cc27e86e954b1d5b5fd34f29b351b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdmrf4qn\mdmrf4qn.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdmrf4qn\mdmrf4qn.cmdline

Filesize
356B

MD5
f1012f0caf1e4b243c63008685cf1b1c

SHA1
7133305cd3bb7306105795f7a0fc88fa961a4de1

SHA256
6608345b7bb2a4ad09378c8a1799cb2b02f1482dde9393792038f390c7d7d143

SHA512
b35336fba813672bc16f119e6af13985f13e8eaab367d8c2f83e8b2fdba56cafda11c66426efb3e30fc3a45971081a47461b990c6c58fcf15f0b8b3b0b146312

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oijfw4ub\CSC75902650EF8C442D8BC35DA3FE1BEB6C.TMP

Filesize
652B

MD5
729b78f9cd170818f6b831810bfff708

SHA1
e033e79f0cb65a0de29baa5675608d10c7244c68

SHA256
419e43ef07964afa7e76f8941f3d9e3c25ee50229f460790ba9b6bb760d8e599

SHA512
10a8cd6ee594650d548cca67ae3c8bc295dde9308d997cf68155b9b2f1feacb29a06792a89940e5f0761a72205bfe0e27af52a76ffe0ecf9d2f1deeb1b4a74a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oijfw4ub\oijfw4ub.0.cs

Filesize
11KB

MD5
acf1a7b8aab4c6efda423d4842a10a85

SHA1
ac55b84b81527ad1224a85640c5a2555b19b685d

SHA256
af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa

SHA512
22e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oijfw4ub\oijfw4ub.cmdline

Filesize
356B

MD5
687b71aa31c344c4c61ed3d4086f08a2

SHA1
5921d93979ba6b145dbe3a0e8baae43c9e1cf0ed

SHA256
524ff7f9325890702d089d358e271a936c02ca6a947dba1adea9031b6e0f00c2

SHA512
a5797670b02a670f58dd0bdaed19c14f79617741e31df5bbfc4b7bbb15d7f8c4f909388e4b44240e8557f3f42d334318b497380661e7a685c705eb4fd1b818e8

Download Submit
memory/1680-2-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1680-23-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1680-28-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1680-0-0x00007FF9DB8B3000-0x00007FF9DB8B5000-memory.dmp

Filesize
8KB

Download
memory/1680-22-0x00007FF9DB8B3000-0x00007FF9DB8B5000-memory.dmp

Filesize
8KB

Download
memory/1680-1-0x000001AEFA4C0000-0x000001AEFA690000-memory.dmp

Filesize
1.8MB

Download
memory/2984-619-0x00007FF9D90C0000-0x00007FF9D90D1000-memory.dmp

Filesize
68KB

Download
memory/2984-617-0x00007FF9E21B0000-0x00007FF9E21C1000-memory.dmp

Filesize
68KB

Download
memory/2984-613-0x00007FF9EFAF0000-0x00007FF9EFB08000-memory.dmp

Filesize
96KB

Download
memory/2984-614-0x00007FF9EA8B0000-0x00007FF9EA8C7000-memory.dmp

Filesize
92KB

Download
memory/2984-615-0x00007FF9E6BE0000-0x00007FF9E6BF1000-memory.dmp

Filesize
68KB

Download
memory/2984-618-0x00007FF9D9310000-0x00007FF9D932D000-memory.dmp

Filesize
116KB

Download
memory/2984-620-0x00007FF9D55C0000-0x00007FF9D57CB000-memory.dmp

Filesize
2.0MB

Download
memory/2984-611-0x00007FF9EA690000-0x00007FF9EA6C4000-memory.dmp

Filesize
208KB

Download
memory/2984-610-0x00007FF689B50000-0x00007FF689C48000-memory.dmp

Filesize
992KB

Download
memory/2984-616-0x00007FF9E6BC0000-0x00007FF9E6BD7000-memory.dmp

Filesize
92KB

Download
memory/2984-612-0x00007FF9D5180000-0x00007FF9D5436000-memory.dmp

Filesize
2.7MB

Download
memory/3424-8-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/3424-9-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/3424-17-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3424-10-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3424-11-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3424-12-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/4244-272-0x000001C81D070000-0x000001C81D071000-memory.dmp

Filesize
4KB

Download
memory/4244-269-0x000001C81D060000-0x000001C81D061000-memory.dmp

Filesize
4KB

Download
memory/4244-241-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-242-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-243-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-222-0x000001C814D50000-0x000001C814D60000-memory.dmp

Filesize
64KB

Download
memory/4244-205-0x000001C814C40000-0x000001C814C50000-memory.dmp

Filesize
64KB

Download
memory/4244-237-0x000001C81D2E0000-0x000001C81D2E1000-memory.dmp

Filesize
4KB

Download
memory/4244-238-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-244-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-239-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-240-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-273-0x000001C81D180000-0x000001C81D181000-memory.dmp

Filesize
4KB

Download
memory/4244-245-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-271-0x000001C81D070000-0x000001C81D071000-memory.dmp

Filesize
4KB

Download
memory/4244-257-0x000001C81CE60000-0x000001C81CE61000-memory.dmp

Filesize
4KB

Download
memory/4244-254-0x000001C81CF20000-0x000001C81CF21000-memory.dmp

Filesize
4KB

Download
memory/4244-251-0x000001C81CF30000-0x000001C81CF31000-memory.dmp

Filesize
4KB

Download
memory/4244-249-0x000001C81CF20000-0x000001C81CF21000-memory.dmp

Filesize
4KB

Download
memory/4244-248-0x000001C81CF30000-0x000001C81CF31000-memory.dmp

Filesize
4KB

Download
memory/4244-247-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/4244-246-0x000001C81D310000-0x000001C81D311000-memory.dmp

Filesize
4KB

Download
memory/5108-26-0x00000000064D0000-0x0000000006A74000-memory.dmp

Filesize
5.6MB

Download
memory/5996-519-0x000002317E790000-0x000002317E798000-memory.dmp

Filesize
32KB

Download
memory/5996-534-0x000002317EC10000-0x000002317EC18000-memory.dmp

Filesize
32KB

Download
memory/5996-490-0x000002317E760000-0x000002317E782000-memory.dmp

Filesize
136KB

Download
memory/5996-505-0x000002317E750000-0x000002317E758000-memory.dmp

Filesize
32KB

Download