b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
Size

51KB
MD5

0ec13669b9f8bfa8f75e3a8829b34778
SHA1

612e4eb12b67c413d1f24115b68eedc500d240af
SHA256

b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd
SHA512

fcf5733623347e06642e024e5f7825fadc585880bf8e9087019ddac36e0c1ede9a37e9422530b40dc053b7fa198ff2c31ffba6805c6f333c71a0dc380fbd5fab
SSDEEP

384:/B9FqeuDcAfrL6Kt+xDMmkhdQhmwcpbKGqJixShqxHUXFO4Xik3dKx9UrFXdB6ba:JCJgi9+xDMm+SQwcV/JU0DUv0Vknu4

Score

8^/10

discovery persistence phishing

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\afunix.sys	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

A potential corporate email address has been identified in the URL: 67C716D751E567F70A490D4C@AdobeOrg
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32.crAcker.A = "C:\\Windows\\system32\\crAcker.exe"	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\FXSEXT32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\scripto.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\authfwcfg.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\AuthFWWizFwk.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\GamePanel.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\joy.cpl	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDPL1.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\FontGlyphAnimator.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\lsmproxy.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\mftranscode.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\prncache.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\schannel.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wscript.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\uudf.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\acledit.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\comdlg32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\glmf32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\networkitemfactory.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\POSyncServices.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\SystemEventsBrokerClient.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\unlodctr.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wshunix.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\eventcls.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\InputSwitch.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\ortcengine.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\secur32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\useractivitybroker.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\Windows.Perception.Stub.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wininet.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\AuthBrokerUI.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\iri.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDA1.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\cfgbkend.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\icsigd.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\MbaeApiPublic.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120deu.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\msrating.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\stobject.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\DavSyncProvider.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\dfrgui.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\dmcommandlineutils.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\msieftp.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\TpmTool.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\XInputUap.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\eventvwr.msc	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\pifmgr.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\SearchFilterHost.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\CHxReadingStringIME.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\kbdlk41a.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120fra.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\ntmarta.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\systemcpl.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wscui.cpl	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\winrs.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\chcp.com	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\cttunesvr.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\instnm.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\mssph.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\MSWebp.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\pcbp.rs	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\SCardDlg.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\XAudio2_8.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\winipcfile.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\CertEnroll.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\WINDOWS\WMSysPr9.prx	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\write.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\HelpPane.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\mib.bin	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\Professional.xml	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\splwow64.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\sysmon.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\win.ini	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\hh.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\winhlp32.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\bfsvc.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\explorer.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\notepad.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\PFRO.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\setupact.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\setuperr.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\lsasetup.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\system.ini	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\twain_32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
1372	msedge.exe
1372	msedge.exe
2648	identity_helper.exe
2648	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1372	840	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	99
PID 840 wrote to memory of 1372	840	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	99
PID 1372 wrote to memory of 2344	1372	msedge.exe	100
PID 1372 wrote to memory of 2344	1372	msedge.exe	100
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2788	1372	msedge.exe	102
PID 1372 wrote to memory of 2604	1372	msedge.exe	103
PID 1372 wrote to memory of 2604	1372	msedge.exe	103
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104
PID 1372 wrote to memory of 1348	1372	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
"C:\Users\Admin\AppData\Local\Temp\b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ab9346f8,0x7ff8ab934708,0x7ff8ab934718
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
    3⤵
    PID:1348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4660 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1424 /prefetch:1
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:1276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8585552876119886376,15868829464990518657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
    3⤵
    PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  PID:1452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ab9346f8,0x7ff8ab934708,0x7ff8ab934718
    3⤵
    PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2fc
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
4c3974caacdb36fc8e2d346f1ce1356d

SHA1
ee91b1ac502e095a1b8e34d2e344bfd3e52721b5

SHA256
6914649e76a202d41bfb732262f6cb1b67a473c9f398c90a84e71c60913ba878

SHA512
97db611dcf044a2f6074d6cf3e4f5712842a488898f0f4b1e9884d736ee67c0efd7a5ba2f3b457b50282b98482c3258f1f4561dd43c70829a5eba3b1ec277da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8ef2b7629d56a23f037dd33a194a88ab

SHA1
9c10603839add0f718131d7d2651ee33d97df908

SHA256
1648f1fe2a569348b8a1409d34e74911a4288a744b40fce9f7c9d198db94a91e

SHA512
f849258077958a9d2adb272caf2095b55340e1a465bbb4f9ba8ec8006a584972d872530dd92686191b34de3e0efad8bcbd242754dd2026ab0f53146ad7832e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
208005d7dc5d893c6f123617364e4119

SHA1
dbf67c0e80b2dcea62af3fdd09d4f0b6e4aff8cd

SHA256
9bdbf554430802c2b09e4e620ff4c9a8a2917a11f62e691a3fc4543294d504a1

SHA512
d5a2429fb1ac8220017838ad910cfd27fa1d34794a63a84a92b35d92149622d806b2a9f5ed942a7df1e7da9e7e0af0783a2d1b86b071e2d30d97820d13f11893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a9e6343664dddbf56ea5423547cfd2b

SHA1
a28fb346f82543b7d4c5930cc91f3927ffd9d7be

SHA256
826cd856e86c5306a0338fcefa063727108766e63ef022c498b4731a74c43eb8

SHA512
81141740fdd8670cd67760b6be9cffe49da3929294a444d6f601256d52a29940b6464ec562960ad3f1b36a220081f6d6dce2469b22603c56f3f4dac4f8490074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a60229028022afb1b44aaa1242462ae1

SHA1
dafbd61efb69a72af6eeac71446e982e9010d898

SHA256
b418df0f64f55b8dadccc4d029ac8514b359daf5e107a0c4f699aef5f9f7059b

SHA512
3b0c5b59e6e7699baf93b953cd4dcff818484f35fa386d69f113345c69e87b32948273c2b6934d56195aad898614a44782b2132a0e84bc691789e8593479a754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
96c0361b58365b33d056f655ed236c46

SHA1
ac7fdc52eeabacd386f17801324ce90f6b876cb1

SHA256
df7e3e115aa369f1484bfeeded0bf8264aecd20323c4c6e8e96ab0efb2bf58e6

SHA512
ceb494fe8898aff2bdd85d05efc9a50c34d0716d68a9d9e66f3d46df2fd1c545e96077b7108b386a635af062482ef9b913dee5a6e21617f2f5a42626c6136243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
89bd38c950299dc4a1437d3a5db99f0b

SHA1
a80a3b137808667c6bdd602fcab04db5047d887b

SHA256
70417ccf9ded9542fb910c3f5c298229896929a12c1c7ba51614f6cdadec218d

SHA512
72c8803d70896eaeac45251f5fd0bc8c77913e56f78b661515b2075cbdcda1e820ae0583b454ad41f3c9a94fe9144aca8847318a903ea6d8ed9711f9d7c061f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a02b1.TMP

Filesize
1KB

MD5
5ae761a7872420a27b619b4948512aca

SHA1
7412c9a50347a3fc222f926863d25d5049fb6c7b

SHA256
a529b2e924a24a52ca49ade8ed24286e9f3e05f2fc361d3f3a6c8bfe9eddca59

SHA512
a0f1db97ed8c4618ff8410366cccf6f141c467906c00a24751e84fc2d2df95668d8bbebeb6051ddd674c74ecb7b66ea0ff636970a3b4484b5936bf2529f7b95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
42399ecc897b97efa245d990c41b6925

SHA1
819ac7308dff4724e19be69a57c1a701650fe266

SHA256
0ea4b1c7394e5b15e2835ef7f2f949021039d71eef4f573c639d8bc4a78a857e

SHA512
6de9ba5d64ba498facbb9ed962c2cb0d3e10f5c8d1d4a7b0b18bbe621956aeedec340a2e5566a55ee9c4b93d2d48983422a7106134a9ab79f7422e1c884df01a

Download Submit
C:\Windows\Professional.xml

Filesize
57KB

MD5
e9218c384e18f34a1e47d775ed3994b5

SHA1
8f26aa0abdb1621957a14a195e08af052d8d3fb0

SHA256
6eb4016416e54e44bdd9ec73ae52f37b977875bfff617cb16c85f4be569f5066

SHA512
17c94de55326f6561b0de174ec64cbbb9bc738a64c6cfa6970cfa411fa5cc97adcdbd7e629425bb483ca3ede27ddd5533157ec0389606e52da85ec455f5de849

Download Submit
C:\exc.exe

Filesize
23KB

MD5
efc24c0fea1566e21e7b76a543b84aa2

SHA1
b46c6c3ed50357b089d20eead2da88b0bffbf6ed

SHA256
3601706b4c18bea83da9d8e2b424242ba54baaf544d91a9f92ff68e6e1da78d1

SHA512
f33b3165c0db3e0481fb00c6a3b67434aa68dfe42ab3f5255be0127c2357d154c2c0c0cc591e9f8728b789aeb77f8cab57e4df3593e35eaf09494ef0dd941035

Download Submit
memory/840-825-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-1265-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-311-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-111-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-1955-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download