hxxps://store8[.]gofile[.]io/download/direct/1f07f654-e64c-4970-ad15-0be410adc9e2/Client[.]exe

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store8.gofile.io/download/direct/1f07f654-e64c-4970-ad15-0be410adc9e2/Client.exe

Score

10^/10

discovery evasion themida trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 18 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Client.exeaoHGrfFs.exeClient.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	aoHGrfFs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	aoHGrfFs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	aoHGrfFs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	aoHGrfFs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	aoHGrfFs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	aoHGrfFs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Client.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Client.exeaoHGrfFs.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aoHGrfFs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Client.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aoHGrfFs.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aoHGrfFs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aoHGrfFs.exe

Executes dropped EXE 3 IoCs

Processes:

Client.exeaoHGrfFs.exeClient.exe

pid process

664 Client.exe
5792 aoHGrfFs.exe
4348 Client.exe

pid	process
664	Client.exe
5792	aoHGrfFs.exe
4348	Client.exe

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 770097.crdownload	themida
behavioral1/memory/664-75-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-77-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-78-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-79-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-81-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-80-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-82-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/664-94-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp	themida
behavioral1/memory/5792-132-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-133-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-134-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-135-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-137-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-136-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-138-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
behavioral1/memory/5792-140-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp	themida
C:\Users\Admin\Downloads\Unconfirmed 15629.crdownload	themida
C:\Users\Admin\Downloads\Client.exe	themida
behavioral1/memory/4348-229-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-234-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-235-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-233-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-236-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-237-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-238-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-241-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-242-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida
behavioral1/memory/4348-247-0x00007FF710880000-0x00007FF7113C1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

aoHGrfFs.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aoHGrfFs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Client.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Client.exe

Drops file in System32 directory 1 IoCs

Processes:

Client.exe

description ioc process

File created C:\Windows\SysWOW64\Key.txt Client.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Client.exeaoHGrfFs.exeClient.exe

pid process

664 Client.exe
5792 aoHGrfFs.exe
4348 Client.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\Key.txt	Client.exe

pid	process
664	Client.exe
5792	aoHGrfFs.exe
4348	Client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 770097.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 72954.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3520	msedge.exe
3520	msedge.exe
1188	msedge.exe
1188	msedge.exe
4652	identity_helper.exe
4652	identity_helper.exe
4656	msedge.exe
4656	msedge.exe
208	msedge.exe
208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeaoHGrfFs.exeClient.exe

pid process

664 Client.exe
5792 aoHGrfFs.exe
4348 Client.exe

pid	process
664	Client.exe
5792	aoHGrfFs.exe
4348	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1188 wrote to memory of 392	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 392	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3208	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3520	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 3520	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe
PID 1188 wrote to memory of 2412	1188	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://store8.gofile.io/download/direct/1f07f654-e64c-4970-ad15-0be410adc9e2/Client.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc69e246f8,0x7ffc69e24708,0x7ffc69e24718
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,8327329301033153301,8220856821709983586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Users\Admin\Downloads\Client.exe
  "C:\Users\Admin\Downloads\Client.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Client.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:5756
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\Downloads\Client.exe" MD5
      4⤵
      PID:1112
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4212
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2900

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Client.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:3848
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\Client.exe" MD5
    3⤵
    PID:2984
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4452
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn7.filehaus.su/files/1732180401_44301/Client.exe
  2⤵
  PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc69e246f8,0x7ffc69e24708,0x7ffc69e24718
    3⤵
    PID:5300

C:\Users\Admin\Downloads\aoHGrfFs.exe
"C:\Users\Admin\Downloads\aoHGrfFs.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\aoHGrfFs.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:5892
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\aoHGrfFs.exe" MD5
    3⤵
    PID:5908
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:5916
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn7.filehaus.su/files/1732180401_44301/Client.exe
  2⤵
  PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc69e246f8,0x7ffc69e24708,0x7ffc69e24718
    3⤵
    PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KeyAuth\Debug\Client\11-22-2024.txt

Filesize
1KB

MD5
2575039ef6bdff49c2af6355baa442e8

SHA1
6ee0b95dfaadf17f5db822169a1591a22aa522fc

SHA256
ae992af2cae581686e1a27ffd25322e484a87d6159ecf599dae1888663fa51bd

SHA512
5b017f6acafaff9f99771b90282cbeab5bad821f3c4b69dbbb4cc6ee4067907ee02b98a17041a1053c5ff3ca5becd777b4cc58347465cfb4d5602db6cc897be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
8a39b818eaa2d1352ce0b66e64c19b80

SHA1
dec8e59a7a9ad8922375cb8d236633137bc2b7ba

SHA256
e32fce70d7efc487fc69a99a8c61d94ce4eefe7ae097b3e9ea1fbd58744cb403

SHA512
3139d4288f27f10d98432c7d6a72ea5a522eb8b64db4182d2813ac48ba36e606ec3cc9701e7aac17f99d3ed8c09c434e466b3874155b1b445a83e1a820a6aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da65880fe40d1b42a3e09880b8989d19

SHA1
552bb10a32ee3c5c8064ca929db501e01ff03686

SHA256
db15d2c4cb5a33e5d8f817f2f039ff796c7cb75b4d10e5292371d2821ac90749

SHA512
a7bbcfac33c9cb6449102e36d384e2c49faccea34397e6efc1c5b99c3e965b8b748dfccf47c189316b575df67b21319b5747d7b8ef0e998938970778ecadc230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d91a17a84094d1980173ddfec6820d3

SHA1
7cccb13f924ba7887f46af1cbdae056bd5edda5e

SHA256
3fe0e7c9243701d42d8f5fda341e5af7b05311bafd858c23884de18d92a2d8b8

SHA512
77603a7b9bc8df44471bb0378366370e7e3f6a903b36805abbfa7119a9b36411836f7632f35884f3e3ee341f1775f8ab9351de610acdb0bf69421b27a6b638ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4f042febdbe3b8d6aae7dc444376117

SHA1
4f863c58e9a72a79a82b3a12a2d8da86fc592ca6

SHA256
007ae18b6f7b60a002acaa2a6cb49412870ef8995a842eb921b30c61f20eaf1a

SHA512
f410922f0d2b7661852d3e839d4fadc9522676f4548df5783709186037a6b4e24cff72dac595a46a0f09e670c9e532241cb97df064c7a95575a51c0d9807b272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
04d21bfe749654aab658b88722c759d7

SHA1
554eb6d53e941cf7be17046268d09c13c655fdbc

SHA256
88973ec66aca4aaab68a52e5cbac0874ddcc3f0e33dbaf18088c74f0b85d880d

SHA512
2cb4f45ac30208770bc31888407f9ecaf9d7736a59b03f654b37576d5ba2028f073cbd7c76706c228da88f7c496994c5e806d7c994e477f6a3b2bfd96ecf9322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a95eccd220c6c6f5baa7c0a83f50e25d

SHA1
65e1f575c74798f295e3f3fd4f91229d070fcfaf

SHA256
e5318524a9507f0614ed907ffcf3c5a286076e99589f18b07a6caa6473de1fcc

SHA512
979467ab1c270de78ce1ad3e377615235196ff106be296b1728cbd44e644d214a61ee7c170475924fb8ab35ef62311126895652759d16623b2ffa955a14c23cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c56dac406fd3fc67379841253c084cff

SHA1
da3873d02c28ff02c63de58a982d184fc69e20aa

SHA256
c3ff08f99e67773c2b93e942b01d7a98370c95093abef5dd4c1b655a0b737543

SHA512
636e90b2995143005df7cf0bbfa2ae8dff1955afcd17c776f8509c275c9742e75eed9ff38510fc2c09be19bf368a15f731e9c14afa99b58a4ae6e92f0cab5700

Download Submit
C:\Users\Admin\Downloads\Client.exe

Filesize
4.3MB

MD5
26dd0c648826d7da57fae8661be3a662

SHA1
88b0cf30576c71e92657abef38a0aeb2ec3730be

SHA256
e14aea53f64719ed2b5b02e9e4b394cdd62cf1e2df868236a6cece543b7309bd

SHA512
c33315a79f23a6ad577234fcffea2d80eaae3e6aad4491cb401b71db125c94098685a5c870cce799ef331e5c6c901a4365e426934d2bf31b23d3538881205c4f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 15629.crdownload

Filesize
63KB

MD5
a2bec22019b0dc904d8d29bb825ac79b

SHA1
c3adcda26dbeabcaf017e0a2d99087febea9b358

SHA256
b249740262217f14a229e1dd28e3b010a8b4d2531c11c4048e661d7663914e75

SHA512
7d4707d65a1cf26cfb16341382ff23d18dd443722566cdcd64c469f90805690bb03482e42e8b3db412b788689de5ba2767a776ab80bf2f62125900571b272527

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 770097.crdownload

Filesize
4.4MB

MD5
a2f1704337c26223167247c1c8a40d89

SHA1
165d4ec361a06ce6c712f8aaff7d5dfa33eda6dc

SHA256
d63a1617ee6005e689123d05bcc14c60105329f68658088050cce509ba98b64e

SHA512
98ef0d0fb80d65b23b7118718a425059fefe3d161dd77234903d54628a5affaf8ab22d891e7568a133f2f75bb45b7b81af465a3c7a1fdbb2d972fd3f8a499904

Download Submit
\??\pipe\LOCAL\crashpad_1188_GBHGMGVIEYJTVBGP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/664-77-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-80-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-82-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-75-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-94-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-78-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-79-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/664-81-0x00007FF7B5AD0000-0x00007FF7B666B000-memory.dmp

Filesize
11.6MB

Download
memory/4348-236-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-238-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-247-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-242-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-241-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-237-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-233-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-229-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-234-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/4348-235-0x00007FF710880000-0x00007FF7113C1000-memory.dmp

Filesize
11.3MB

Download
memory/5792-134-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-133-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-135-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-138-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-132-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-137-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-136-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download
memory/5792-140-0x00007FF78B900000-0x00007FF78C49B000-memory.dmp

Filesize
11.6MB

Download