Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows11-21h2-x64

10

Resubmissions

01/02/2025, 20:30

250201-zac4lsypgw 4

01/02/2025, 13:08

250201-qc7lkavran 10

Analysis

  • max time kernel
    222s
  • max time network
    223s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/02/2025, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Score
10/10
crimsonratdarkcometfantomnjratrevengerattroldeshwarzoneratguestdefense_evasiondiscoveryinfostealerpersistenceprivilege_escalationransomwareratrezer0stealertrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>RNQDz8VkH0wFMaGVt88nv06WGQ6FRHHhdpwu2QONzuP1THRZx0/CD11UHU1t8Ng4rXVdLqR9exTcbYH6DJuvkWB3hvmY3oBHEiBi0tKiT2NvmjBPrq89EsxJOJ14uhgvy6uCLoj9/6a0J4ozOK+My4pEWUxkaru2w5DiZwRxDy56+OxY9tEz0TED6TIAJufXhPQbXv3IUkF9NT3gs/y2lPJyl24KyVoRO2vqeE+SyZUYtx0vjJgH91vDEGLEsgCUfcKCn8QRdBGK2mNodfJFlubBiEtcsIO08odJQpXIOypBxDflAqwmZ6FdopghroPuD+4MK4Ujmsz2x50cND1y9w==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Fantom family
    fantom
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Njrat family
    njrat
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Renames multiple (141) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • RevengeRat Executable 1 IoCs
    stealer
  • Warzone RAT payload 2 IoCs
    rat
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Downloads MZ/PE file 10 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Sets file to hidden 1 TTPs 6 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Drops startup file 8 IoCs
  • Executes dropped EXE 15 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 15 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 6 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 4 IoCs
  • NTFS ADS 27 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 37 IoCs
    defense_evasion
  • Views/modifies file attributes 1 TTPs 6 IoCs
    defense_evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc19bb3cb8,0x7ffc19bb3cc8,0x7ffc19bb3cd8
      2⤵
        PID:3640
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
        2⤵
          PID:1124
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
          2⤵
          • Downloads MZ/PE file
          • Suspicious behavior: EnumeratesProcesses
          PID:3720
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
          2⤵
            PID:2836
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:1552
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
              2⤵
                PID:3164
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3112
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4032
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                2⤵
                  PID:4752
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                  2⤵
                    PID:4372
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                    2⤵
                      PID:2580
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                      2⤵
                        PID:2272
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                        2⤵
                          PID:4524
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
                          2⤵
                            PID:4664
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
                            2⤵
                              PID:4164
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
                              2⤵
                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2856
                            • C:\Users\Admin\Downloads\Blackkomet.exe
                              "C:\Users\Admin\Downloads\Blackkomet.exe"
                              2⤵
                              • Modifies WinLogon for persistence
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2312
                              • C:\Windows\SysWOW64\attrib.exe
                                attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
                                3⤵
                                • Sets file to hidden
                                • System Location Discovery: System Language Discovery
                                • Views/modifies file attributes
                                PID:124
                              • C:\Windows\SysWOW64\attrib.exe
                                attrib "C:\Users\Admin\Downloads" +s +h
                                3⤵
                                • Sets file to hidden
                                • System Location Discovery: System Language Discovery
                                • Views/modifies file attributes
                                PID:1328
                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                3⤵
                                • Modifies WinLogon for persistence
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4916
                                • C:\Windows\SysWOW64\attrib.exe
                                  attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                  4⤵
                                  • Sets file to hidden
                                  • Drops file in System32 directory
                                  • Views/modifies file attributes
                                  PID:840
                                • C:\Windows\SysWOW64\attrib.exe
                                  attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                  4⤵
                                  • Sets file to hidden
                                  • Drops file in System32 directory
                                  • Views/modifies file attributes
                                  PID:240
                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                  4⤵
                                  • Modifies WinLogon for persistence
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2104
                                  • C:\Windows\SysWOW64\attrib.exe
                                    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                    5⤵
                                    • Sets file to hidden
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Views/modifies file attributes
                                    PID:4112
                                  • C:\Windows\SysWOW64\attrib.exe
                                    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                    5⤵
                                    • Sets file to hidden
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Views/modifies file attributes
                                    PID:3844
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                              2⤵
                                PID:2476
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
                                2⤵
                                  PID:732
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
                                  2⤵
                                  • Subvert Trust Controls: Mark-of-the-Web Bypass
                                  • NTFS ADS
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3996
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
                                  2⤵
                                    PID:4060
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6688 /prefetch:8
                                    2⤵
                                      PID:5040
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
                                      2⤵
                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                      • NTFS ADS
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1592
                                    • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                      "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:888
                                      • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                        "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:5052
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                                      2⤵
                                        PID:4592
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 /prefetch:8
                                        2⤵
                                          PID:2788
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
                                          2⤵
                                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                                          • NTFS ADS
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4124
                                        • C:\Users\Admin\Downloads\NJRat.exe
                                          "C:\Users\Admin\Downloads\NJRat.exe"
                                          2⤵
                                          • Drops startup file
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1356
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
                                            3⤵
                                            • Modifies Windows Firewall
                                            • Event Triggered Execution: Netsh Helper DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:2368
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
                                          2⤵
                                            PID:1428
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
                                            2⤵
                                              PID:4392
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2580 /prefetch:8
                                              2⤵
                                                PID:884
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8
                                                2⤵
                                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                • NTFS ADS
                                                PID:988
                                              • C:\Users\Admin\Downloads\RevengeRAT.exe
                                                "C:\Users\Admin\Downloads\RevengeRAT.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:3928
                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                  3⤵
                                                  • Drops startup file
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  • Checks processor information in registry
                                                  • NTFS ADS
                                                  PID:1372
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                    4⤵
                                                      PID:4844
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cazk9cvd.cmdline"
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1248
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91C430651F5C45A79C8022C081A1DB9.TMP"
                                                        5⤵
                                                          PID:3400
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jwilxfps.cmdline"
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1428
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8781784B55B3482F93C9AD886B427B80.TMP"
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3668
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nf-xwk-2.cmdline"
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4148
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA54DD10D66C04636A9305E4A4D961832.TMP"
                                                          5⤵
                                                            PID:2548
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iittwlb9.cmdline"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2972
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFECBF78DDBA4C9B9DBEF0454CBBA60.TMP"
                                                            5⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3936
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahoqhbwn.cmdline"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1056
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE068F79E69742129C4A5FD08D78E4CC.TMP"
                                                            5⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2068
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azn3sisi.cmdline"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2844
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1978D42C91904CC28E7F893E12F4F793.TMP"
                                                            5⤵
                                                              PID:2280
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_rmpq1xu.cmdline"
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1936
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FC7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDB012D7F05F43CCB645642A808F249.TMP"
                                                              5⤵
                                                                PID:2072
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfqfquja.cmdline"
                                                              4⤵
                                                                PID:2408
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7044.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc440BE15A6E4268B0D259223DBC70FC.TMP"
                                                                  5⤵
                                                                    PID:3980
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e6oeqbff.cmdline"
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3924
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52FA1DA1F3A4E289F539FB965F9F80.TMP"
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4860
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcuibcie.cmdline"
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3848
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9252C0A93A1245A1A6DD2F3876C825D2.TMP"
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3268
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfqrw8dh.cmdline"
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3604
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF94452D9550D48918D41BABBD279C998.TMP"
                                                                    5⤵
                                                                      PID:2820
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znblrfsu.cmdline"
                                                                    4⤵
                                                                      PID:2284
                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7238.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE87B04DB6C754C5EB49998204938B5A4.TMP"
                                                                        5⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5024
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jo7x34xt.cmdline"
                                                                      4⤵
                                                                        PID:2036
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF84A8F095BE4D6495E27449BEA8E69B.TMP"
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3880
                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ticqia8q.cmdline"
                                                                        4⤵
                                                                          PID:3252
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D070E458BDC423B8AC86C12F0B33D.TMP"
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2696
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6vkvs0df.cmdline"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3388
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4710F1FBEA564EC1B664974934E4129.TMP"
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1228
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erf-hn_q.cmdline"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4104
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES744C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70E6496C6B954E84B65590DF4D8F7E42.TMP"
                                                                            5⤵
                                                                              PID:2960
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uytqxxyo.cmdline"
                                                                            4⤵
                                                                              PID:3048
                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34EC9FED83A84A6BB0348EBEF0DFC510.TMP"
                                                                                5⤵
                                                                                  PID:2848
                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q-_e8eew.cmdline"
                                                                                4⤵
                                                                                  PID:3616
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3429BEB1BF44188CAD7D9DE64CE8B6.TMP"
                                                                                    5⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2260
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a6zczyvy.cmdline"
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3724
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF35C30ADB09411EB05A2FC53BB6C81.TMP"
                                                                                    5⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1676
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hncgzyes.cmdline"
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4264
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES767E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2A4D6D9774946DD89442E25A1C6369.TMP"
                                                                                    5⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3928
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqhhcub1.cmdline"
                                                                                  4⤵
                                                                                    PID:1724
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9841968821684C50A42C7569EB68926C.TMP"
                                                                                      5⤵
                                                                                        PID:4556
                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      PID:3616
                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                        5⤵
                                                                                        • Drops startup file
                                                                                        • Adds Run key to start application
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Checks processor information in registry
                                                                                        • NTFS ADS
                                                                                        PID:4076
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                          6⤵
                                                                                            PID:1952
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                            6⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3396
                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5yulkk6.cmdline"
                                                                                            6⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:124
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD56D1371F5E243938710DD4D6409328.TMP"
                                                                                              7⤵
                                                                                                PID:2436
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyr3aocg.cmdline"
                                                                                              6⤵
                                                                                                PID:4992
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2982.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3B6D0BB179240CA97A991FF6B7AB70.TMP"
                                                                                                  7⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:3064
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\navzx3kg.cmdline"
                                                                                                6⤵
                                                                                                  PID:4068
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc825ED940CC244C05BDCBCB3CC099C6AE.TMP"
                                                                                                    7⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3492
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5hoxda2.cmdline"
                                                                                                  6⤵
                                                                                                    PID:772
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5048AEAFCC944805AD4DFB39FCB4289A.TMP"
                                                                                                      7⤵
                                                                                                        PID:3904
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4enp52k.cmdline"
                                                                                                      6⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2004
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ADA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAD94E5AE80C4D5EB4F575B177EC9AA.TMP"
                                                                                                        7⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:3228
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgkoxtv6.cmdline"
                                                                                                      6⤵
                                                                                                        PID:1592
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5816D60BC5EB420A85B396138D83F6A.TMP"
                                                                                                          7⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2872
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xgykifj4.cmdline"
                                                                                                        6⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1700
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE5A9B4E3D17431E9A98FECC7D4143.TMP"
                                                                                                          7⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:4728
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\79y2vzjz.cmdline"
                                                                                                        6⤵
                                                                                                          PID:1152
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6D7A55C137B4A6FA7DF5B35D7F33415.TMP"
                                                                                                            7⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4676
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dtw1cjdx.cmdline"
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3056
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc665B580C94D84C308E46ADC216A6ADE.TMP"
                                                                                                            7⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:340
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ywpzhgvc.cmdline"
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:684
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EB8D15DD014788B2AFDBB54E8974F.TMP"
                                                                                                            7⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:3608
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pevn2ie8.cmdline"
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3796
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6311.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E5703AD30F4FB7BA37EB87EBD96FCE.TMP"
                                                                                                            7⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:3076
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5_xoedel.cmdline"
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3036
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E8ECC872F1F478795FF128192464A16.TMP"
                                                                                                            7⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2468
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daabmvah.cmdline"
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:4172
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6449.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc574B584FC6F3453B878038AC322E965D.TMP"
                                                                                                            7⤵
                                                                                                              PID:716
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d9hx2q3c.cmdline"
                                                                                                            6⤵
                                                                                                              PID:4992
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6497.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9315A761C9493899544A3D7877119.TMP"
                                                                                                                7⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:3636
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zdyd6qe.cmdline"
                                                                                                              6⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:1996
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6524.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9CCE73D6F8C416598BAB522A9C81B78.TMP"
                                                                                                                7⤵
                                                                                                                  PID:4652
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qgqnm9ce.cmdline"
                                                                                                                6⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:912
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BFC2181F0E4C91959618FCDBD37818.TMP"
                                                                                                                  7⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:3848
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-ismjmq.cmdline"
                                                                                                                6⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4184
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA244B7D42B498E942ADEF327D4AACB.TMP"
                                                                                                                  7⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:3656
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
                                                                                                        2⤵
                                                                                                          PID:1888
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7016 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:2548
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8
                                                                                                            2⤵
                                                                                                            • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                            • NTFS ADS
                                                                                                            PID:1992
                                                                                                          • C:\Users\Admin\Downloads\WarzoneRAT.exe
                                                                                                            "C:\Users\Admin\Downloads\WarzoneRAT.exe"
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • NTFS ADS
                                                                                                            PID:4052
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CD0.tmp"
                                                                                                              3⤵
                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                              PID:3584
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                              3⤵
                                                                                                                PID:3656
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                3⤵
                                                                                                                  PID:2116
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6936 /prefetch:2
                                                                                                                2⤵
                                                                                                                  PID:3948
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
                                                                                                                  2⤵
                                                                                                                    PID:4780
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 /prefetch:8
                                                                                                                    2⤵
                                                                                                                      PID:3080
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
                                                                                                                      2⤵
                                                                                                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                      • NTFS ADS
                                                                                                                      PID:1668
                                                                                                                    • C:\Users\Admin\Downloads\AgentTesla.exe
                                                                                                                      "C:\Users\Admin\Downloads\AgentTesla.exe"
                                                                                                                      2⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:3272
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:1588
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6988 /prefetch:8
                                                                                                                        2⤵
                                                                                                                          PID:760
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
                                                                                                                          2⤵
                                                                                                                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                          • NTFS ADS
                                                                                                                          PID:4372
                                                                                                                        • C:\Users\Admin\Downloads\Fantom.exe
                                                                                                                          "C:\Users\Admin\Downloads\Fantom.exe"
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in Program Files directory
                                                                                                                          PID:4972
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
                                                                                                                            3⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:3936
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
                                                                                                                          2⤵
                                                                                                                            PID:2312
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 /prefetch:8
                                                                                                                            2⤵
                                                                                                                              PID:4172
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                                                                                                                              2⤵
                                                                                                                                PID:1656
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
                                                                                                                                2⤵
                                                                                                                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                • NTFS ADS
                                                                                                                                PID:3492
                                                                                                                              • C:\Users\Admin\Downloads\Krotten.exe
                                                                                                                                "C:\Users\Admin\Downloads\Krotten.exe"
                                                                                                                                2⤵
                                                                                                                                • Disables RegEdit via registry modification
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Adds Run key to start application
                                                                                                                                • Modifies WinLogon
                                                                                                                                • Drops file in Windows directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies Control Panel
                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                • Modifies Internet Explorer start page
                                                                                                                                • Modifies registry class
                                                                                                                                • System policy modification
                                                                                                                                PID:3652
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
                                                                                                                                2⤵
                                                                                                                                  PID:2904
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
                                                                                                                                  2⤵
                                                                                                                                    PID:2872
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
                                                                                                                                    2⤵
                                                                                                                                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                    • NTFS ADS
                                                                                                                                    PID:1236
                                                                                                                                  • C:\Users\Admin\Downloads\NoMoreRansom.exe
                                                                                                                                    "C:\Users\Admin\Downloads\NoMoreRansom.exe"
                                                                                                                                    2⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2044
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
                                                                                                                                    2⤵
                                                                                                                                      PID:2408
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
                                                                                                                                      2⤵
                                                                                                                                        PID:2296
                                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                        PID:1956
                                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                        1⤵
                                                                                                                                          PID:2272
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                          1⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                          PID:3716
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:2104
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                              3⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2136

                                                                                                                                        Network

                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                        Reconnaissance

                                                                                                                                        Resource Development

                                                                                                                                        Initial Access

                                                                                                                                        Execution

                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                        1
                                                                                                                                        T1059

                                                                                                                                        Scheduled Task/Job

                                                                                                                                        1
                                                                                                                                        T1053

                                                                                                                                        Scheduled Task

                                                                                                                                        1
                                                                                                                                        T1053.005

                                                                                                                                        Persistence

                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                        3
                                                                                                                                        T1547

                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                        1
                                                                                                                                        T1547.001

                                                                                                                                        Winlogon Helper DLL

                                                                                                                                        2
                                                                                                                                        T1547.004

                                                                                                                                        Create or Modify System Process

                                                                                                                                        1
                                                                                                                                        T1543

                                                                                                                                        Windows Service

                                                                                                                                        1
                                                                                                                                        T1543.003

                                                                                                                                        Event Triggered Execution

                                                                                                                                        1
                                                                                                                                        T1546

                                                                                                                                        Netsh Helper DLL

                                                                                                                                        1
                                                                                                                                        T1546.007

                                                                                                                                        Scheduled Task/Job

                                                                                                                                        1
                                                                                                                                        T1053

                                                                                                                                        Scheduled Task

                                                                                                                                        1
                                                                                                                                        T1053.005

                                                                                                                                        Privilege Escalation

                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                        3
                                                                                                                                        T1547

                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                        1
                                                                                                                                        T1547.001

                                                                                                                                        Winlogon Helper DLL

                                                                                                                                        2
                                                                                                                                        T1547.004

                                                                                                                                        Create or Modify System Process

                                                                                                                                        1
                                                                                                                                        T1543

                                                                                                                                        Windows Service

                                                                                                                                        1
                                                                                                                                        T1543.003

                                                                                                                                        Event Triggered Execution

                                                                                                                                        1
                                                                                                                                        T1546

                                                                                                                                        Netsh Helper DLL

                                                                                                                                        1
                                                                                                                                        T1546.007

                                                                                                                                        Scheduled Task/Job

                                                                                                                                        1
                                                                                                                                        T1053

                                                                                                                                        Scheduled Task

                                                                                                                                        1
                                                                                                                                        T1053.005

                                                                                                                                        Defense Evasion

                                                                                                                                        Hide Artifacts

                                                                                                                                        2
                                                                                                                                        T1564

                                                                                                                                        Hidden Files and Directories

                                                                                                                                        2
                                                                                                                                        T1564.001

                                                                                                                                        Impair Defenses

                                                                                                                                        1
                                                                                                                                        T1562

                                                                                                                                        Disable or Modify System Firewall

                                                                                                                                        1
                                                                                                                                        T1562.004

                                                                                                                                        Modify Registry

                                                                                                                                        6
                                                                                                                                        T1112

                                                                                                                                        Subvert Trust Controls

                                                                                                                                        1
                                                                                                                                        T1553

                                                                                                                                        SIP and Trust Provider Hijacking

                                                                                                                                        1
                                                                                                                                        T1553.003

                                                                                                                                        Credential Access

                                                                                                                                        Discovery

                                                                                                                                        Browser Information Discovery

                                                                                                                                        1
                                                                                                                                        T1217

                                                                                                                                        Query Registry

                                                                                                                                        2
                                                                                                                                        T1012

                                                                                                                                        System Information Discovery

                                                                                                                                        3
                                                                                                                                        T1082

                                                                                                                                        System Location Discovery

                                                                                                                                        1
                                                                                                                                        T1614

                                                                                                                                        System Language Discovery

                                                                                                                                        1
                                                                                                                                        T1614.001

                                                                                                                                        Lateral Movement

                                                                                                                                        Collection

                                                                                                                                        Command and Control

                                                                                                                                        Web Service

                                                                                                                                        1
                                                                                                                                        T1102

                                                                                                                                        Exfiltration

                                                                                                                                        Impact

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads

                                                                                                                                        • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          cba3e132a0eb4d8f555cfb365f5d1fdf

                                                                                                                                          SHA1

                                                                                                                                          ae5d87c45fefef329c51f3cc7cfd318df3c3a108

                                                                                                                                          SHA256

                                                                                                                                          c0edd5cfbc36555552693562e8d8ce5853b12c0981e89586034324680a4ec757

                                                                                                                                          SHA512

                                                                                                                                          a60fc5feb75f68884cb95c545d6913fdca59375363994984d854e76edf9be693413f2b8db6af5012f133a5c2b029f8373713670102727a471fa63ec5f0cfd22a

                                                                                                                                          Download Submit

                                                                                                                                        • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                                                                          Filesize

                                                                                                                                          9.1MB

                                                                                                                                          MD5

                                                                                                                                          64261d5f3b07671f15b7f10f2f78da3f

                                                                                                                                          SHA1

                                                                                                                                          d4f978177394024bb4d0e5b6b972a5f72f830181

                                                                                                                                          SHA256

                                                                                                                                          87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

                                                                                                                                          SHA512

                                                                                                                                          3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

                                                                                                                                          Download Submit

                                                                                                                                        • C:\ProgramData\Hdlharas\mdkhm.zip
                                                                                                                                          Filesize

                                                                                                                                          56KB

                                                                                                                                          MD5

                                                                                                                                          b635f6f767e485c7e17833411d567712

                                                                                                                                          SHA1

                                                                                                                                          5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

                                                                                                                                          SHA256

                                                                                                                                          6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

                                                                                                                                          SHA512

                                                                                                                                          551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

                                                                                                                                          Download Submit

                                                                                                                                        • C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
                                                                                                                                          Filesize

                                                                                                                                          4KB

                                                                                                                                          MD5

                                                                                                                                          602ddd0c457eb622800ec2b65d1a3723

                                                                                                                                          SHA1

                                                                                                                                          e322f2927b3eb868f88f61318589cdbc9b5e4554

                                                                                                                                          SHA256

                                                                                                                                          6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

                                                                                                                                          SHA512

                                                                                                                                          eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

                                                                                                                                          Download Submit

                                                                                                                                        • C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
                                                                                                                                          Filesize

                                                                                                                                          4KB

                                                                                                                                          MD5

                                                                                                                                          28d98fecf9351c6a31c9c37a738f7c15

                                                                                                                                          SHA1

                                                                                                                                          c449dee100d5219a28019537472edc6a42a87db2

                                                                                                                                          SHA256

                                                                                                                                          39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

                                                                                                                                          SHA512

                                                                                                                                          f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                          Filesize

                                                                                                                                          152B

                                                                                                                                          MD5

                                                                                                                                          fdee96b970080ef7f5bfa5964075575e

                                                                                                                                          SHA1

                                                                                                                                          2c821998dc2674d291bfa83a4df46814f0c29ab4

                                                                                                                                          SHA256

                                                                                                                                          a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

                                                                                                                                          SHA512

                                                                                                                                          20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                          Filesize

                                                                                                                                          152B

                                                                                                                                          MD5

                                                                                                                                          46e6ad711a84b5dc7b30b75297d64875

                                                                                                                                          SHA1

                                                                                                                                          8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

                                                                                                                                          SHA256

                                                                                                                                          77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

                                                                                                                                          SHA512

                                                                                                                                          8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          a02ba5b8cf138d82c62fc5c30dfb5f9c

                                                                                                                                          SHA1

                                                                                                                                          38714d5ef470b3c78d7b95fd2dcc2b2cceb2a81d

                                                                                                                                          SHA256

                                                                                                                                          3e083ef9268d86a27fbf43c5fe9f7ca2e86a36a30efcdbeed47c063e05d56ef8

                                                                                                                                          SHA512

                                                                                                                                          cf72d606cd74e20a70849496b0c64ecbde69e4994bdade405a8e9de4ca526e11d11b15708201fca43a1ea88f4b52957fa0eefffb9d2e37eb97e9b60cef93d3b1

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                          Filesize

                                                                                                                                          579B

                                                                                                                                          MD5

                                                                                                                                          ed5f4213c17629776cd75510648fc019

                                                                                                                                          SHA1

                                                                                                                                          ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

                                                                                                                                          SHA256

                                                                                                                                          e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

                                                                                                                                          SHA512

                                                                                                                                          71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                          Filesize

                                                                                                                                          111B

                                                                                                                                          MD5

                                                                                                                                          285252a2f6327d41eab203dc2f402c67

                                                                                                                                          SHA1

                                                                                                                                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                          SHA256

                                                                                                                                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                          SHA512

                                                                                                                                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                          Filesize

                                                                                                                                          579B

                                                                                                                                          MD5

                                                                                                                                          b8fdc8d04b83beb089126efbce00f896

                                                                                                                                          SHA1

                                                                                                                                          971ff6e70884b2cdf229be5a0cad066e3bdb085b

                                                                                                                                          SHA256

                                                                                                                                          c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe

                                                                                                                                          SHA512

                                                                                                                                          f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                          Filesize

                                                                                                                                          6KB

                                                                                                                                          MD5

                                                                                                                                          bd2103a2c2dac5680cac80dd06a3e9b3

                                                                                                                                          SHA1

                                                                                                                                          b68f7cdd952c5dd1c150938a73cced28c567f063

                                                                                                                                          SHA256

                                                                                                                                          9c33965f4c783bee6391796a39d2a5b83593d1ddbf18ef2a367f9cba4215280c

                                                                                                                                          SHA512

                                                                                                                                          904110b7fa1d366a41f880abe21d28beaf93d72ebbab3299a569fcaeebe6bb2d21bdf51579c6349e8c26dd2a4c70c29ba28df504e5543bf85f61c9ddb35d6aa0

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                          Filesize

                                                                                                                                          5KB

                                                                                                                                          MD5

                                                                                                                                          6357d89884fa3fb2426e49c5153d350e

                                                                                                                                          SHA1

                                                                                                                                          bae83d7d020795e890ef718e5c7e98545510bbb4

                                                                                                                                          SHA256

                                                                                                                                          9c46c410e0205ac893c768cd4dbc227865ff194f8ae4d0728286db4ec16b4904

                                                                                                                                          SHA512

                                                                                                                                          793f3e50c0f0f38f08408b2e8d320754f76db80b6d09d2535767f08aac047fd9431e47c72145926258c7e1eea02a304abb7f87638f43c72644fc2b7dba7dcc37

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          623dafc58f5aa34734de28e29440f233

                                                                                                                                          SHA1

                                                                                                                                          bf0610c0f00310bb1ef82149e75efefba23e1922

                                                                                                                                          SHA256

                                                                                                                                          ec5ec9e4c7e17ca4001f4532ebb00070151dd985c526d2cd504044b60f810524

                                                                                                                                          SHA512

                                                                                                                                          5dfd337d0f76d188a53a0124737fd903df20da14519653bc2c4c0d59fd3ec31ae7b38bdf6f61e9e99df97da93edd6bfe8dc40d1e0156ec27b88cf42a6b644262

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          ffa77d4503c2878f6dd5bdc8acdb4d4a

                                                                                                                                          SHA1

                                                                                                                                          d3a97d787f23e3c1377a0c25d308037f1245880f

                                                                                                                                          SHA256

                                                                                                                                          5de1a41f6db3f1cf0d43c11800a8255537ef95cfa56b03da70e71c96bb4ed123

                                                                                                                                          SHA512

                                                                                                                                          7eb97d1393f5c7260e831ac2136784751c333576281e4e4d647df8e097853e07101165fb03a9a986802edc9bcbe2cdbe4c77c828af0873ac40a8bd330948a898

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          1682653ea0cc4c3b9b74f8409ee30b2f

                                                                                                                                          SHA1

                                                                                                                                          1799201985ba603a7029d95ec4d16cf971cebe4d

                                                                                                                                          SHA256

                                                                                                                                          0712746db3b7a3c201e1a7f891edb694104ce1c933f84c253b21defa5b3a7775

                                                                                                                                          SHA512

                                                                                                                                          64f078ab4c13f47656091084eeb792a4c5f6d461b10aa10ae58b05831b47125f9a4faac9c912432879d136c9d052304573f6adfa9c7631e2028639975e71c3b8

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          04653f05d4d1a175ba5ad741e32bf62a

                                                                                                                                          SHA1

                                                                                                                                          a6cb4eb168469928d897392ddb368884b76c1eb3

                                                                                                                                          SHA256

                                                                                                                                          33e845fd5ab6fc88ac0e3f14eb309ca761ee1bcc15bc5ce55d1a6a95ceb59428

                                                                                                                                          SHA512

                                                                                                                                          89361b9c5a3c11b95120b97f3991e542da1f3b16a4e6162838dbfaedffc821f1549b1fdfd4c9cc9d9210b89700c2ebe75de59bd566c5cc366fe926352abe395d

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          573d1e62925387d13e0d613411cc121c

                                                                                                                                          SHA1

                                                                                                                                          a123c7d8623abd133c8ed806ec188676f7376b16

                                                                                                                                          SHA256

                                                                                                                                          694305059193d9349a93ced3581657f4b657b86c89877c018abb4508749458d6

                                                                                                                                          SHA512

                                                                                                                                          5a14af2c4d655bb6c5754a21e1034bd11fa8d4f332d480c8e1e7c5dbb3b92de659a34782d43516f92bcf64f53e487c9d6fb87280416d745fe7c4f6fa7f0062e6

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          6fec4b8f7746769eefe3cb452d658b1b

                                                                                                                                          SHA1

                                                                                                                                          7b013184096a7f57646694c8cad4905f084b3c9a

                                                                                                                                          SHA256

                                                                                                                                          5bc020a4314992a113b2be1c74703f8f4fbf20f17e2c1240b59d04f51ddc2b62

                                                                                                                                          SHA512

                                                                                                                                          272fe20981f61daa9cfc45aa1512fadc528d5be3b656dc790748c85cf23921f680c23a2e3b01b4b450ec4584e6662783efeddefd521056eaa82f02dd009eeccd

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          84c7c77296210b5b897c1722192f481d

                                                                                                                                          SHA1

                                                                                                                                          71fce80ed7d851c1c81dd37fefc368c443fa5401

                                                                                                                                          SHA256

                                                                                                                                          659a87eff513131ca9ce5a51a9ed647528b20178d8fbb9934ffd744fc99ba279

                                                                                                                                          SHA512

                                                                                                                                          2ff47ffa0ce8ca984fe72a9b4c6c3801d00f2bd1312c967e8a49d4118b00090f8a3e0e36b515b5e224845b596dc143c838e008fad41745e566546542be0f536b

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          13fae00152d7f61dabed44f283a5de01

                                                                                                                                          SHA1

                                                                                                                                          3f7ef763c87e63edb94ffccfbbdc8d107f3d7aa9

                                                                                                                                          SHA256

                                                                                                                                          4136e1573efcf03539437cce71eb7ff00c2bf95bf4c62b14b6322f83ec349870

                                                                                                                                          SHA512

                                                                                                                                          1d4b3ba4ace18cb7174de20a705167e66db1eb519f38dda7a1eedb07080c9b73613ce8b88db830423245b816f77ebd9a43ccec62798832f06ab7c58c2c360ba0

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          314130bd2fce3a7c8dc2da86dfce8def

                                                                                                                                          SHA1

                                                                                                                                          4e8f495a13b485a28ef8a4e0424c52a185721d42

                                                                                                                                          SHA256

                                                                                                                                          0b646d3cf94d5fca0990cd6dc7e3f0916ede402c3b7123523977d37ab546e694

                                                                                                                                          SHA512

                                                                                                                                          2429a5a79c42bb37eab2b2b97bb4d00caaa68a418eff5314e2b1151212c997c9839ee95d96bb18c57ecaf6174dcd55cedd2a6c293e435c3419b85f5226cb764b

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          17e8daea488f495ad18ed3c755f8e15d

                                                                                                                                          SHA1

                                                                                                                                          e17ccdda80c243525d48b606f2a3dcee39cf7ba0

                                                                                                                                          SHA256

                                                                                                                                          a8122cde4c8c3ae92c2d0545b6d25cc01d75e2ef5a2749b37cb0635c7dec567c

                                                                                                                                          SHA512

                                                                                                                                          ca799a8e8aba14bf9378027d4893117761f2c302523dece7be228fc1fbd591218f542d18a3d8a9560a0740b63d2968dad5ac49ff5713279761b3932e3e9dc5e4

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          8268ba0f144b4ccd201d2185ddc9c398

                                                                                                                                          SHA1

                                                                                                                                          47150481b0791935910cc7187daa9e7a0d0cae29

                                                                                                                                          SHA256

                                                                                                                                          231a45133837ab9c5218852c261159515a7fb6c492673020a4c126faf78040a0

                                                                                                                                          SHA512

                                                                                                                                          9d5a5e501c494921245b1f9df0c9e12875e0497aed3a7492f87a92fa3c21d993c3b68466cfb0bac35471a1a26e1e6812604a924cb337f81c29742643fff8dc83

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          853d5a76b93c564ebef1c6d80d4ca690

                                                                                                                                          SHA1

                                                                                                                                          090ad8da14dd5a846d04dfc7e134de797fccd24e

                                                                                                                                          SHA256

                                                                                                                                          b1811329e7a821458f32de99f4133e450a27937c3206fb54ac1472d4ff61eef8

                                                                                                                                          SHA512

                                                                                                                                          e83e3ae8b96196d36b4e88dda8416e44cf66dd5db6d11b45f2dddc82f37709e6a2b0a2998217014ab74bfb650576c0f942e9570c7e3e40edab72a26a6730a8b7

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          6c2364c799b8f619fb0c548f8af9e290

                                                                                                                                          SHA1

                                                                                                                                          7e6636eb0b9067681c4edd481519703aae2cd8c2

                                                                                                                                          SHA256

                                                                                                                                          3c0565bdbfd3c92549eb0af147fd83817cf1874098d3fed18324c3e5974dce6e

                                                                                                                                          SHA512

                                                                                                                                          314eb71c1e0a93ffe78897bd618fcbec50a5499de1a95985121f2867833ec4aa274d382c01bbc32861e601944e41a096cda96ddccc8864137c49fbb0a94d840d

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          218c9061dd2d92a44690a7a1ab2370ce

                                                                                                                                          SHA1

                                                                                                                                          ed59330850c9144406499d86a58535966c96de7d

                                                                                                                                          SHA256

                                                                                                                                          213dfcff45cc19a61e16d51e1bdf2c5419ce90884f8b3d7f3b676e2a9002913a

                                                                                                                                          SHA512

                                                                                                                                          dce25358270ad44750886c6affcc65dd351efb9d8f8f99d5b83738c7b13b56c7207a872256e2d30fb0f5b1ebf098a867ff808b4736eb95d57fef3ba78dce4220

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c498.TMP
                                                                                                                                          Filesize

                                                                                                                                          874B

                                                                                                                                          MD5

                                                                                                                                          99c855a3ac5d57d5dce0480b507c0e0e

                                                                                                                                          SHA1

                                                                                                                                          5df9d16d1d6b7e928628075c8f2c5f1da3ecc72f

                                                                                                                                          SHA256

                                                                                                                                          eeb958fce05fbe38a2e8987a659a3dd9fae2ccd87e3cc528c00050fad36de663

                                                                                                                                          SHA512

                                                                                                                                          6f36b74426d44079c2d8ce3e1654e8925fc20165bcfa758be9c3af8d4fddf4a6919109e92192d1de11b474ed1c05883bd0bc27c1f0b299abc59d85154444e731

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                          Filesize

                                                                                                                                          16B

                                                                                                                                          MD5

                                                                                                                                          46295cac801e5d4857d09837238a6394

                                                                                                                                          SHA1

                                                                                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                          SHA256

                                                                                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                          SHA512

                                                                                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                          Filesize

                                                                                                                                          16B

                                                                                                                                          MD5

                                                                                                                                          206702161f94c5cd39fadd03f4014d98

                                                                                                                                          SHA1

                                                                                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                          SHA256

                                                                                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                          SHA512

                                                                                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          11KB

                                                                                                                                          MD5

                                                                                                                                          929271d0c1c0892bbc672a8d19de1383

                                                                                                                                          SHA1

                                                                                                                                          fec00f89704bc6fbc8e1c05c3e9793f9996efd52

                                                                                                                                          SHA256

                                                                                                                                          f732b3d1efc7259f48ca84a8f1c7e9669745bdd4994288ba256da924a884b3a7

                                                                                                                                          SHA512

                                                                                                                                          b617c7d9adf7156da1a5aca906847fd45dfb8eee958017a63ed0e5c9965c307c9e4d84138118620361475eb54244cfb8673bc8bb805863bcaa8092491be98d97

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          11KB

                                                                                                                                          MD5

                                                                                                                                          57ddab1503059bf8b56cb8cd9f5a8b8b

                                                                                                                                          SHA1

                                                                                                                                          9f352aa868fad2205e8fcca3ac4fab6c0a843b05

                                                                                                                                          SHA256

                                                                                                                                          36dc312b58baa5ded91730d146c21c597b0f27e10b831e7522e72a49b5a7c6e6

                                                                                                                                          SHA512

                                                                                                                                          b52a69dd1fef10714e8bf3a354563fa30585679401df86b62dfcb1ce27fea02c2b83c186689a3260ad2add9c4d285afbac618385d99aba89c8f679844f360335

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          11KB

                                                                                                                                          MD5

                                                                                                                                          0db4bb1bd9a105d2b8db26e86c6d0ebb

                                                                                                                                          SHA1

                                                                                                                                          61b120602dd562453959b9c216495b42b9f45e03

                                                                                                                                          SHA256

                                                                                                                                          892d03a04529827655f6dbd61f2516fc55591c9dc6b677ab68edc95f9a257a17

                                                                                                                                          SHA512

                                                                                                                                          577be289922a213e8fa76d821d0c59a4114f2c686bce8c3ba2e56e753446d5cee6fceff59d89ca3f90eb28cec0aabb2b0ace586ea8b5dc51d8b6b0d1493291e5

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          11KB

                                                                                                                                          MD5

                                                                                                                                          dd4bd6fa79521dbad68ace38acc6db79

                                                                                                                                          SHA1

                                                                                                                                          dae96a1c7ff2c7df237649baba40d5cc3a1e33b7

                                                                                                                                          SHA256

                                                                                                                                          2748d1284f0e65d3b00699dca14af100f2b4498f3eff22ae2987644cb9ef2da0

                                                                                                                                          SHA512

                                                                                                                                          1c455a9f8ea14ce2130757d555e7217e1366a81756b5fc3a0743466bc8f1bb37efd727034ec13c26c7754a7ab874db8442f09da11153ac268d7080818fc72dea

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          10KB

                                                                                                                                          MD5

                                                                                                                                          b0cb7a3d7ad8c2aa732ecda5bd95db6b

                                                                                                                                          SHA1

                                                                                                                                          edba0377869ad0a32d7aeb58b94c9b38954b0905

                                                                                                                                          SHA256

                                                                                                                                          6eb024852f9ba2f5cb59337ee6e0de1637d8470ae54c01955106de3d1aba095f

                                                                                                                                          SHA512

                                                                                                                                          c82af16c35d783a7d945b6a70a077de97a764bf0673e4e1ee65a2572cb0897bbf1623c5e4174ee056aa202c17f035fbfb56baa3f00daad4c66888c9b4ef23c5b

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                          Filesize

                                                                                                                                          10KB

                                                                                                                                          MD5

                                                                                                                                          54bfeb29ec3b9a2aa0680e939555f76c

                                                                                                                                          SHA1

                                                                                                                                          8d04a1522d2c0e60a940559a862c833c30f23e1d

                                                                                                                                          SHA256

                                                                                                                                          a12f9b2689b8ef060f51e4f5c0b584e0c20afd4365f4717a834ae845438a3194

                                                                                                                                          SHA512

                                                                                                                                          c1586cad2d0091aaffe21d9245480548177a822e66efd30e5270ba759fc7cabcbd862e5d5046628358082c7a132af020e36cee00997e78c91d7fe95ec17f57f6

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RES6C6C.tmp
                                                                                                                                          Filesize

                                                                                                                                          5KB

                                                                                                                                          MD5

                                                                                                                                          58e533c29daef35add2447e0cf5b0306

                                                                                                                                          SHA1

                                                                                                                                          a380607728a124cc22b70233ea2e1c6e873ca5c5

                                                                                                                                          SHA256

                                                                                                                                          4f03e864f599dde78c8b7c0af488378c6aee1f3c65ad0797506b981c5063c33f

                                                                                                                                          SHA512

                                                                                                                                          529366c4ea3c2f1ea414ed70547f3e7710359d2ba1b31530ac10866157a87520f4d92338360b9cadbc850562c606a2ef63a9a0481bea82fc239a7483653ec4f4

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
                                                                                                                                          Filesize

                                                                                                                                          21KB

                                                                                                                                          MD5

                                                                                                                                          fec89e9d2784b4c015fed6f5ae558e08

                                                                                                                                          SHA1

                                                                                                                                          581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

                                                                                                                                          SHA256

                                                                                                                                          489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

                                                                                                                                          SHA512

                                                                                                                                          e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\cazk9cvd.0.vb
                                                                                                                                          Filesize

                                                                                                                                          369B

                                                                                                                                          MD5

                                                                                                                                          e4a08a8771d09ebc9b6f8c2579f79e49

                                                                                                                                          SHA1

                                                                                                                                          e9fcba487e1a511f4a3650ab5581911b5e88395d

                                                                                                                                          SHA256

                                                                                                                                          ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

                                                                                                                                          SHA512

                                                                                                                                          48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\cazk9cvd.cmdline
                                                                                                                                          Filesize

                                                                                                                                          253B

                                                                                                                                          MD5

                                                                                                                                          c2ca814a4ce12fecc6a292368da5ae5b

                                                                                                                                          SHA1

                                                                                                                                          c97d404ec889dfcd20611ccb1980b19007c63aa7

                                                                                                                                          SHA256

                                                                                                                                          e252f13f893d6c65cbfa52d9b6c57ea56c8e6c5edc0d71d56b848bca5e0f8f8e

                                                                                                                                          SHA512

                                                                                                                                          3d87741aab550ba922f6443267712152e5a6972a40904a20e8d0dd94f760eef541c6884388d94b0321e8f56eedd86019d7ad0bd2115f9796e42bb68d413f9070

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jwilxfps.0.vb
                                                                                                                                          Filesize

                                                                                                                                          355B

                                                                                                                                          MD5

                                                                                                                                          acd609faf5d65b35619397dc8a3bc721

                                                                                                                                          SHA1

                                                                                                                                          ba681e91613d275de4b51317a83e19de2dbf1399

                                                                                                                                          SHA256

                                                                                                                                          4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

                                                                                                                                          SHA512

                                                                                                                                          400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jwilxfps.cmdline
                                                                                                                                          Filesize

                                                                                                                                          224B

                                                                                                                                          MD5

                                                                                                                                          802940544c9e757c5037bb772d09737f

                                                                                                                                          SHA1

                                                                                                                                          5261d9c41a7182e736393973442f4859101ca0dc

                                                                                                                                          SHA256

                                                                                                                                          231392980a2435248d62548331bb7c4142b5440387f419cb66f2449fca6ac0a2

                                                                                                                                          SHA512

                                                                                                                                          e939c953ab91fe6a11365d3dd785f3c1c8cf384cf39a4ec58214d55edacd6307529454085e573a1bf286fc8173c0c4a53c1e4294591295f93620fd67d0d499ba

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp3CD0.tmp
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          fa95a89e9d4c69775bde959fb56e51f7

                                                                                                                                          SHA1

                                                                                                                                          5913c717179663c85c68af6b3d00e3c2078c719f

                                                                                                                                          SHA256

                                                                                                                                          bfd170ee10cfd6ca81e63196c356c89d1f11032e105c7e04238656b788c2a811

                                                                                                                                          SHA512

                                                                                                                                          accc00c271f9db21c3c2d01b590d19e757e7349ab2abec78b86ac018f85699d8c15edd6eba24b7e572be0bc2fea705affc0dcec60ca05549bb68464f1295594c

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
                                                                                                                                          Filesize

                                                                                                                                          39B

                                                                                                                                          MD5

                                                                                                                                          502984a8e7a0925ac8f79ef407382140

                                                                                                                                          SHA1

                                                                                                                                          0e047aa443d2101eb33ac4742720cb528d9d9dba

                                                                                                                                          SHA256

                                                                                                                                          d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

                                                                                                                                          SHA512

                                                                                                                                          6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vbc5048AEAFCC944805AD4DFB39FCB4289A.TMP
                                                                                                                                          Filesize

                                                                                                                                          668B

                                                                                                                                          MD5

                                                                                                                                          3906bddee0286f09007add3cffcaa5d5

                                                                                                                                          SHA1

                                                                                                                                          0e7ec4da19db060ab3c90b19070d39699561aae2

                                                                                                                                          SHA256

                                                                                                                                          0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                                                                                                                                          SHA512

                                                                                                                                          0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vbc91C430651F5C45A79C8022C081A1DB9.TMP
                                                                                                                                          Filesize

                                                                                                                                          5KB

                                                                                                                                          MD5

                                                                                                                                          84e9754f45218a78242330abb7473ecb

                                                                                                                                          SHA1

                                                                                                                                          3794a5508df76d7f33bde4737eda47522f5c1fdd

                                                                                                                                          SHA256

                                                                                                                                          a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

                                                                                                                                          SHA512

                                                                                                                                          32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vbcA6D7A55C137B4A6FA7DF5B35D7F33415.TMP
                                                                                                                                          Filesize

                                                                                                                                          644B

                                                                                                                                          MD5

                                                                                                                                          dac60af34e6b37e2ce48ac2551aee4e7

                                                                                                                                          SHA1

                                                                                                                                          968c21d77c1f80b3e962d928c35893dbc8f12c09

                                                                                                                                          SHA256

                                                                                                                                          2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                                                                                                                                          SHA512

                                                                                                                                          1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vbcCAD94E5AE80C4D5EB4F575B177EC9AA.TMP
                                                                                                                                          Filesize

                                                                                                                                          676B

                                                                                                                                          MD5

                                                                                                                                          85c61c03055878407f9433e0cc278eb7

                                                                                                                                          SHA1

                                                                                                                                          15a60f1519aefb81cb63c5993400dd7d31b1202f

                                                                                                                                          SHA256

                                                                                                                                          f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                                                                                                                                          SHA512

                                                                                                                                          7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
                                                                                                                                          Filesize

                                                                                                                                          8KB

                                                                                                                                          MD5

                                                                                                                                          15d4d5d8ad9ba7681f3f0035a513c958

                                                                                                                                          SHA1

                                                                                                                                          a181ef9c31e5bdf0eae0f86b6ead928a02d7e551

                                                                                                                                          SHA256

                                                                                                                                          900189b399ceb0ee848446af65c89aa5592111ebf03e75f03bea701837165012

                                                                                                                                          SHA512

                                                                                                                                          496044303a357efea5b247ca208aeaa005737032b0356fff743a0850c7af4e4a6b93cb1910334512b0487f378fb45cdabe9ad25693b6bcf5321a0379238f6bd1

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier
                                                                                                                                          Filesize

                                                                                                                                          55B

                                                                                                                                          MD5

                                                                                                                                          0f98a5550abe0fb880568b1480c96a1c

                                                                                                                                          SHA1

                                                                                                                                          d2ce9f7057b201d31f79f3aee2225d89f36be07d

                                                                                                                                          SHA256

                                                                                                                                          2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

                                                                                                                                          SHA512

                                                                                                                                          dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier
                                                                                                                                          Filesize

                                                                                                                                          26B

                                                                                                                                          MD5

                                                                                                                                          fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                                                                                          SHA1

                                                                                                                                          d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                                                                                          SHA256

                                                                                                                                          eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                                                                                          SHA512

                                                                                                                                          aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 376597.crdownload
                                                                                                                                          Filesize

                                                                                                                                          31KB

                                                                                                                                          MD5

                                                                                                                                          29a37b6532a7acefa7580b826f23f6dd

                                                                                                                                          SHA1

                                                                                                                                          a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

                                                                                                                                          SHA256

                                                                                                                                          7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

                                                                                                                                          SHA512

                                                                                                                                          a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 376597.crdownload:SmartScreen
                                                                                                                                          Filesize

                                                                                                                                          7B

                                                                                                                                          MD5

                                                                                                                                          4047530ecbc0170039e76fe1657bdb01

                                                                                                                                          SHA1

                                                                                                                                          32db7d5e662ebccdd1d71de285f907e3a1c68ac5

                                                                                                                                          SHA256

                                                                                                                                          82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

                                                                                                                                          SHA512

                                                                                                                                          8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 390591.crdownload
                                                                                                                                          Filesize

                                                                                                                                          756KB

                                                                                                                                          MD5

                                                                                                                                          c7dcd585b7e8b046f209052bcd6dd84b

                                                                                                                                          SHA1

                                                                                                                                          604dcfae9eed4f65c80a4a39454db409291e08fa

                                                                                                                                          SHA256

                                                                                                                                          0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

                                                                                                                                          SHA512

                                                                                                                                          c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 492592.crdownload
                                                                                                                                          Filesize

                                                                                                                                          2.8MB

                                                                                                                                          MD5

                                                                                                                                          cce284cab135d9c0a2a64a7caec09107

                                                                                                                                          SHA1

                                                                                                                                          e4b8f4b6cab18b9748f83e9fffd275ef5276199e

                                                                                                                                          SHA256

                                                                                                                                          18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

                                                                                                                                          SHA512

                                                                                                                                          c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 533665.crdownload
                                                                                                                                          Filesize

                                                                                                                                          84KB

                                                                                                                                          MD5

                                                                                                                                          b6e148ee1a2a3b460dd2a0adbf1dd39c

                                                                                                                                          SHA1

                                                                                                                                          ec0efbe8fd2fa5300164e9e4eded0d40da549c60

                                                                                                                                          SHA256

                                                                                                                                          dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

                                                                                                                                          SHA512

                                                                                                                                          4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 68302.crdownload
                                                                                                                                          Filesize

                                                                                                                                          53KB

                                                                                                                                          MD5

                                                                                                                                          87ccd6f4ec0e6b706d65550f90b0e3c7

                                                                                                                                          SHA1

                                                                                                                                          213e6624bff6064c016b9cdc15d5365823c01f5f

                                                                                                                                          SHA256

                                                                                                                                          e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

                                                                                                                                          SHA512

                                                                                                                                          a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 749995.crdownload
                                                                                                                                          Filesize

                                                                                                                                          224KB

                                                                                                                                          MD5

                                                                                                                                          5c7fb0927db37372da25f270708103a2

                                                                                                                                          SHA1

                                                                                                                                          120ed9279d85cbfa56e5b7779ffa7162074f7a29

                                                                                                                                          SHA256

                                                                                                                                          be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                                                                                                                                          SHA512

                                                                                                                                          a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 838215.crdownload
                                                                                                                                          Filesize

                                                                                                                                          261KB

                                                                                                                                          MD5

                                                                                                                                          7d80230df68ccba871815d68f016c282

                                                                                                                                          SHA1

                                                                                                                                          e10874c6108a26ceedfc84f50881824462b5b6b6

                                                                                                                                          SHA256

                                                                                                                                          f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

                                                                                                                                          SHA512

                                                                                                                                          64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 867798.crdownload
                                                                                                                                          Filesize

                                                                                                                                          5KB

                                                                                                                                          MD5

                                                                                                                                          fe537a3346590c04d81d357e3c4be6e8

                                                                                                                                          SHA1

                                                                                                                                          b1285f1d8618292e17e490857d1bdf0a79104837

                                                                                                                                          SHA256

                                                                                                                                          bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

                                                                                                                                          SHA512

                                                                                                                                          50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 936603.crdownload
                                                                                                                                          Filesize

                                                                                                                                          1.4MB

                                                                                                                                          MD5

                                                                                                                                          63210f8f1dde6c40a7f3643ccf0ff313

                                                                                                                                          SHA1

                                                                                                                                          57edd72391d710d71bead504d44389d0462ccec9

                                                                                                                                          SHA256

                                                                                                                                          2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

                                                                                                                                          SHA512

                                                                                                                                          87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 970338.crdownload
                                                                                                                                          Filesize

                                                                                                                                          321KB

                                                                                                                                          MD5

                                                                                                                                          600e0dbaefc03f7bf50abb0def3fb465

                                                                                                                                          SHA1

                                                                                                                                          1b5f0ac48e06edc4ed8243be61d71077f770f2b4

                                                                                                                                          SHA256

                                                                                                                                          61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

                                                                                                                                          SHA512

                                                                                                                                          151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\Downloads\Unconfirmed 981100.crdownload
                                                                                                                                          Filesize

                                                                                                                                          4.0MB

                                                                                                                                          MD5

                                                                                                                                          1d9045870dbd31e2e399a4e8ecd9302f

                                                                                                                                          SHA1

                                                                                                                                          7857c1ebfd1b37756d106027ed03121d8e7887cf

                                                                                                                                          SHA256

                                                                                                                                          9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

                                                                                                                                          SHA512

                                                                                                                                          9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

                                                                                                                                          Download Submit

                                                                                                                                        • memory/888-419-0x00000198A7C80000-0x00000198A7C9E000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          120KB

                                                                                                                                          Download

                                                                                                                                        • memory/1372-588-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          128KB

                                                                                                                                          Download

                                                                                                                                        • memory/2104-483-0x0000000013140000-0x000000001320F000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          828KB

                                                                                                                                          Download

                                                                                                                                        • memory/2116-663-0x0000000000400000-0x0000000000553000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          1.3MB

                                                                                                                                          Download

                                                                                                                                        • memory/2116-662-0x0000000000400000-0x0000000000553000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          1.3MB

                                                                                                                                          Download

                                                                                                                                        • memory/2312-320-0x0000000013140000-0x000000001320F000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          828KB

                                                                                                                                          Download

                                                                                                                                        • memory/3928-586-0x000000001BBD0000-0x000000001BC32000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          392KB

                                                                                                                                          Download

                                                                                                                                        • memory/3928-584-0x000000001B4E0000-0x000000001B9AE000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          4.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3928-585-0x000000001BA60000-0x000000001BB06000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          664KB

                                                                                                                                          Download

                                                                                                                                        • memory/3936-1480-0x0000000000B70000-0x0000000000B7C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          48KB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-651-0x0000000005DF0000-0x0000000005E8C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          624KB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-647-0x0000000000B10000-0x0000000000B66000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          344KB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-648-0x0000000005F70000-0x0000000006516000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          5.6MB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-649-0x00000000059C0000-0x0000000005A52000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          584KB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-650-0x0000000005690000-0x0000000005698000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          32KB

                                                                                                                                          Download

                                                                                                                                        • memory/4052-652-0x0000000005D50000-0x0000000005D78000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          160KB

                                                                                                                                          Download

                                                                                                                                        • memory/4844-589-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          48KB

                                                                                                                                          Download

                                                                                                                                        • memory/4916-473-0x0000000013140000-0x000000001320F000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          828KB

                                                                                                                                          Download

                                                                                                                                        • memory/4916-358-0x0000000013140000-0x000000001320F000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          828KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1069-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1157-0x00000000051E0000-0x00000000051EA000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          40KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1044-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1042-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1040-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1038-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1033-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1064-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1056-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1052-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1050-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1048-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1046-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1036-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1034-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1054-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1058-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1060-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1062-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1066-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1070-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1074-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1076-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1078-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1082-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1084-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1080-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1470-0x00000000056F0000-0x00000000056FE000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          56KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1032-0x0000000004A20000-0x0000000004A52000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          200KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1072-0x0000000004A20000-0x0000000004A4B000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          172KB

                                                                                                                                          Download

                                                                                                                                        • memory/4972-1031-0x00000000049F0000-0x0000000004A22000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          200KB

                                                                                                                                          Download

                                                                                                                                        • memory/5052-461-0x0000024589680000-0x0000024589F94000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          9.1MB

                                                                                                                                          Download