asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
1800s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
14-02-2025 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat xworm zharkbot default adware botnet defense_evasion discovery persistence privilege_escalation pyinstaller rat stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2644-1146-0x00000255242A0000-0x00000255242CC000-memory.dmp	family_xworm

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral1/files/0x000300000000d363-3822.dat	zharkcore

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00070000000260b0-3702.dat	family_asyncrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
24	784	4363463463464363463463463.exe
75	784	4363463463464363463463463.exe
283	784	4363463463464363463463463.exe
228	784	4363463463464363463463463.exe
67	1560	Process not Found
68	784	4363463463464363463463463.exe
68	784	4363463463464363463463463.exe
118	1560	Process not Found
31	784	4363463463464363463463463.exe
13	1560	Process not Found
36	784	4363463463464363463463463.exe
217	784	4363463463464363463463463.exe
43	784	4363463463464363463463463.exe
51	916	Process not Found
78	784	4363463463464363463463463.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1520	netsh.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	heo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	heo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	heo.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 36 IoCs

pid	Process
2644	OneDrive.exe
4132	OneDrive.exe
3196	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
6024	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
6632	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
244	DiscordSpotifyBypass.exe
2416	DiscordSpotifyBypass.exe
7144	DiscordSpotifyBypass.exe
4992	DiscordSpotifyBypass.exe
5124	OneDrive.exe
5504	aaa%20(3).exe
5880	Update.exe
1668	Update.exe
3632	aaa%20(3).exe
7812	CISNSATEST.exe
3740	heo.exe
7852	heo.exe
5332	CISNSATEST.exe
3132	setup.exe
7320	setup.exe
5872	setup.exe
6040	setup.exe
948	setup.exe
1876	setup.exe
4884	setup.exe
6188	setup.exe
3616	setup.exe
6356	setup.exe
7528	setup.exe
7548	setup.exe
7948	heo.exe
2604	CISNSATEST.exe
5956	stub.exe

Loads dropped DLL 64 IoCs

pid	Process
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
5328	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
2416	DiscordSpotifyBypass.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
346	6.tcp.eu.ngrok.io
128	6.tcp.eu.ngrok.io
300	6.tcp.eu.ngrok.io
190	6.tcp.eu.ngrok.io
218	6.tcp.eu.ngrok.io
249	6.tcp.eu.ngrok.io
276	6.tcp.eu.ngrok.io
385	6.tcp.eu.ngrok.io
45	raw.githubusercontent.com
94	6.tcp.eu.ngrok.io
68	raw.githubusercontent.com
361	6.tcp.eu.ngrok.io
367	6.tcp.eu.ngrok.io
33	raw.githubusercontent.com
36	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com
55	raw.githubusercontent.com
153	6.tcp.eu.ngrok.io
183	6.tcp.eu.ngrok.io
321	6.tcp.eu.ngrok.io
33	6.tcp.eu.ngrok.io
44	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\webview2_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3616_13383970804828135_3616.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe	MicrosoftEdge_X64_133.0.3065.59.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\resources.pak	setup.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\9dbde9c1-9904-49e7-b049-8930d10b3b33.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\580cbd5e-9dd8-4b40-b9b8-6596ea7b4e79.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002ad87-2228.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2484	5956	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CISNSATEST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CISNSATEST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CISNSATEST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa%20(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa%20(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1124	MicrosoftEdgeUpdate.exe
3160	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,11"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
3040	powershell.exe
3040	powershell.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5076	taskmgr.exe
1668	Update.exe
3740	heo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	4363463463464363463463463.exe
Token: SeDebugPrivilege	5076	taskmgr.exe
Token: SeSystemProfilePrivilege	5076	taskmgr.exe
Token: SeCreateGlobalPrivilege	5076	taskmgr.exe
Token: SeDebugPrivilege	2644	OneDrive.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2644	OneDrive.exe
Token: SeDebugPrivilege	2644	OneDrive.exe
Token: SeDebugPrivilege	4132	OneDrive.exe
Token: SeDebugPrivilege	5328	DiscordSpotifyBypass.exe
Token: SeDebugPrivilege	4324	DiscordSpotifyBypass.exe
Token: SeDebugPrivilege	7224	DiscordSpotifyBypass.exe
Token: SeDebugPrivilege	2416	DiscordSpotifyBypass.exe
Token: SeDebugPrivilege	4992	DiscordSpotifyBypass.exe
Token: SeDebugPrivilege	5124	OneDrive.exe
Token: SeDebugPrivilege	1668	Update.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: SeDebugPrivilege	3740	heo.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3132	setup.exe
Token: SeIncBasePriorityPrivilege	3132	setup.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe
Token: SeIncBasePriorityPrivilege	1668	Update.exe
Token: 33	3740	heo.exe
Token: SeIncBasePriorityPrivilege	3740	heo.exe
Token: 33	1668	Update.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
6024	DiscordSpotifyBypass.exe
4324	DiscordSpotifyBypass.exe
6632	DiscordSpotifyBypass.exe
7224	DiscordSpotifyBypass.exe
244	DiscordSpotifyBypass.exe
2416	DiscordSpotifyBypass.exe
7144	DiscordSpotifyBypass.exe
4992	DiscordSpotifyBypass.exe
4236	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2644	784	4363463463464363463463463.exe	91
PID 784 wrote to memory of 2644	784	4363463463464363463463463.exe	91
PID 2644 wrote to memory of 3040	2644	OneDrive.exe	92
PID 2644 wrote to memory of 3040	2644	OneDrive.exe	92
PID 784 wrote to memory of 3196	784	4363463463464363463463463.exe	105
PID 784 wrote to memory of 3196	784	4363463463464363463463463.exe	105
PID 3196 wrote to memory of 5328	3196	DiscordSpotifyBypass.exe	107
PID 3196 wrote to memory of 5328	3196	DiscordSpotifyBypass.exe	107
PID 6024 wrote to memory of 4324	6024	DiscordSpotifyBypass.exe	110
PID 6024 wrote to memory of 4324	6024	DiscordSpotifyBypass.exe	110
PID 6632 wrote to memory of 7224	6632	DiscordSpotifyBypass.exe	113
PID 6632 wrote to memory of 7224	6632	DiscordSpotifyBypass.exe	113
PID 244 wrote to memory of 2416	244	DiscordSpotifyBypass.exe	116
PID 244 wrote to memory of 2416	244	DiscordSpotifyBypass.exe	116
PID 7144 wrote to memory of 4992	7144	DiscordSpotifyBypass.exe	119
PID 7144 wrote to memory of 4992	7144	DiscordSpotifyBypass.exe	119
PID 784 wrote to memory of 5504	784	4363463463464363463463463.exe	123
PID 784 wrote to memory of 5504	784	4363463463464363463463463.exe	123
PID 784 wrote to memory of 5504	784	4363463463464363463463463.exe	123
PID 784 wrote to memory of 5880	784	4363463463464363463463463.exe	124
PID 784 wrote to memory of 5880	784	4363463463464363463463463.exe	124
PID 784 wrote to memory of 5880	784	4363463463464363463463463.exe	124
PID 5880 wrote to memory of 1668	5880	Update.exe	125
PID 5880 wrote to memory of 1668	5880	Update.exe	125
PID 5880 wrote to memory of 1668	5880	Update.exe	125
PID 1668 wrote to memory of 1520	1668	Update.exe	126
PID 1668 wrote to memory of 1520	1668	Update.exe	126
PID 1668 wrote to memory of 1520	1668	Update.exe	126
PID 784 wrote to memory of 7812	784	4363463463464363463463463.exe	130
PID 784 wrote to memory of 7812	784	4363463463464363463463463.exe	130
PID 784 wrote to memory of 7812	784	4363463463464363463463463.exe	130
PID 784 wrote to memory of 3740	784	4363463463464363463463463.exe	131
PID 784 wrote to memory of 3740	784	4363463463464363463463463.exe	131
PID 784 wrote to memory of 3740	784	4363463463464363463463463.exe	131
PID 3704 wrote to memory of 3132	3704	MicrosoftEdge_X64_133.0.3065.59.exe	137
PID 3704 wrote to memory of 3132	3704	MicrosoftEdge_X64_133.0.3065.59.exe	137
PID 3132 wrote to memory of 7320	3132	setup.exe	138
PID 3132 wrote to memory of 7320	3132	setup.exe	138
PID 3132 wrote to memory of 5872	3132	setup.exe	139
PID 3132 wrote to memory of 5872	3132	setup.exe	139
PID 5872 wrote to memory of 6040	5872	setup.exe	140
PID 5872 wrote to memory of 6040	5872	setup.exe	140
PID 3132 wrote to memory of 948	3132	setup.exe	141
PID 3132 wrote to memory of 948	3132	setup.exe	141
PID 3132 wrote to memory of 1876	3132	setup.exe	142
PID 3132 wrote to memory of 1876	3132	setup.exe	142
PID 948 wrote to memory of 4884	948	setup.exe	143
PID 948 wrote to memory of 4884	948	setup.exe	143
PID 3132 wrote to memory of 3616	3132	setup.exe	144
PID 3132 wrote to memory of 3616	3132	setup.exe	144
PID 1876 wrote to memory of 6188	1876	setup.exe	145
PID 1876 wrote to memory of 6188	1876	setup.exe	145
PID 3616 wrote to memory of 6356	3616	setup.exe	146
PID 3616 wrote to memory of 6356	3616	setup.exe	146
PID 7440 wrote to memory of 7528	7440	MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe	150
PID 7440 wrote to memory of 7528	7440	MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe	150
PID 7528 wrote to memory of 7548	7528	setup.exe	151
PID 7528 wrote to memory of 7548	7528	setup.exe	151
PID 784 wrote to memory of 5956	784	4363463463464363463463463.exe	155
PID 784 wrote to memory of 5956	784	4363463463464363463463463.exe	155
PID 784 wrote to memory of 5956	784	4363463463464363463463463.exe	155

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5328
- C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
  "C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5504
- C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Users\Admin\AppData\Roaming\Update.exe
    "C:\Users\Admin\AppData\Roaming\Update.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Update.exe" "Update.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1520
- C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7812
- C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 448
    3⤵
    - Program crash
    PID:2484

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkU4NUMwNzItNTQ0MS00OTVDLUIxNkEtNjkyM0UwMTdFN0E5fSIgdXNlcmlkPSJ7RTM3RTI5MTItRjY3MC00MDI5LUI2QjMtRDcwRUFBREYxOTAyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjQwMUEzQzktQTAwMS00Mzg3LUI4MDgtRDY1NTM4RjNENjY1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDcxMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjY2MDQzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMTUxMzcwNDMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6024
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4324

C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6632
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:7224

C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2416

C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7144
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4992

C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
"C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632

C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7852

C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5332

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3132
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff772eb6a68,0x7ff772eb6a74,0x7ff772eb6a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:7320
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:5872
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff772eb6a68,0x7ff772eb6a74,0x7ff772eb6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6040
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6188
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6356

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
1⤵
- Suspicious use of WriteProcessMemory
PID:7440
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:7528
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63a5b6a68,0x7ff63a5b6a74,0x7ff63a5b6a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:7548

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkU4NUMwNzItNTQ0MS00OTVDLUIxNkEtNjkyM0UwMTdFN0E5fSIgdXNlcmlkPSJ7RTM3RTI5MTItRjY3MC00MDI5LUI2QjMtRDcwRUFBREYxOTAyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2MTNBOTc5Ni1EOUFBLTQ3NTctOUJGOC1BQThBMDZFNzYwODd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgY29ob3J0PSJycmZAMC42MiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI0IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins2MzhDQzQ5Ni1DNDc0LTRGQjktOUI3NC05QTBGMTExNTlFOTJ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM2NjAyNTM1ODYxMDAwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAyMzI0ODg0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMDI0ODA1OTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzODQyODI3MDEyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEwNTIzNDk0NyIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iNDE1ODcxIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjE5OS4yMzIuMjEwLjE3MiIgY2RuX2NpZD0iMyIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IkhJVCIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIyMjg5MTQyNCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iMzQ0MDA2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMTAxMTE3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVBHOFk4Z2twZnJ3TGd3UE1GTzBGUUxGNWhIS2tVb0tpWGg4MnVxU1BxRUlFcFRqcXdSdmM5NWFmMU5ldU9nMVZBdk8lMmJ2cXZlTHhvMkk4SXhVQXVhdHclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iNjcyMzUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4NDI5ODMyOTUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4NTY1Nzc1MzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NDc0MjMzNDgwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzczNSIgZG93bmxvYWRfdGltZV9tcz0iODc0MDUwIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYxNzQ5Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSI0IiByPSI0IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7MTU3ODY4MTItOTU1Qi00NTcxLTkyM0YtOUNFNTUyRDAyRjY1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMDIzMjQ4ODQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ0NzQyMzM0ODAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NjMxMjc1MjY4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAxMDExMTgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXlFUWNwNUtyaldDSjhwZmhQWktCNk5iVlJnU0UyQ2REbndmR3k3Y2txeWt0QVB0eHFiNUdRR3BYOUZkcmg3QnMlMmZyM2VONyUyZk9UMzNVVTElMmZ2ZTdpNXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzMTI3NTI2OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAxMDExMTgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXlFUWNwNUtyaldDSjhwZmhQWktCNk5iVlJnU0UyQ2REbndmR3k3Y2txeWt0QVB0eHFiNUdRR3BYOUZkcmg3QnMlMmZyM2VONyUyZk9UMzNVVTElMmZ2ZTdpNXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSIxNTAzMiIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzMTI3NTI2OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzOTg2OTQzMiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxNDcwODY2NTMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNzM1IiBkb3dubG9hZF90aW1lX21zPSIxNTY4OSIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTA3MjIiLz48cGluZyByPSI0IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins0MURBMTNGRS0wMzY0LTQyMzgtODQ1QS03NUEyQkRFMDlCOTl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3160

C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7948

C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5956 -ip 5956
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\SETUP.EX_

Filesize
2.7MB

MD5
1a59a8af3c58b30ff0fe71db2196b24b

SHA1
6b0e5ba36f4fc5328ec494272054a50cafa13e68

SHA256
ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d

SHA512
f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
8036a5d811a46670fc2d9ed64ec406c9

SHA1
4eb265fbe3db4b82431855f85e03951ec51f2c0f

SHA256
e6f2de7acb31fba46cd82dad80f7e2a76bf19a661959928a329823f7a4a9a53a

SHA512
a852a2b0c6f03abee03c298e81f5880bfa7c772bddeb212a0475834e03b0f1e606daac0a1b6a0c887dfba1c44e2bab272e182ed99321348da1ef601d29e65d50

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
c9fbeaf71d2bc92e74529a3ff6e031b0

SHA1
0bbf4957ed2bd4d99d3cea7d8be771cfa13c2d01

SHA256
907ba3f9f59c0adc50673d3875d33b15b9b17a8a5b7749202fda496bf9845159

SHA512
6da682b206b91848b09068a16928ecb4f0d1d5946c5cf7a969db1f880cf169f58427d557a4d10bbe6c7fd409e9d2b06d2ceeebfd7a56ee5a52eb522b22f043d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
234KB

MD5
c8b62a9b62f8edbe98fe7803399ffa10

SHA1
c05a1ebd70dd056d2fe1b30c5846d661456be34c

SHA256
3904436345dd984b08f47079d953c26a4702181eb55a7c5a23e25899fe5c5058

SHA512
444d439d7a506284e8b6275c21dfd2cc7c30805507bc813b52f4905964d0d88861f59d811b469d15e8d94e937c87bc2c0a5172c88b04fc5b7cd905079031099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe

Filesize
72KB

MD5
ab95efbeb890f50d89b56a14f2c0bbd1

SHA1
a90b055e0cfafb31b75bb2be8cac9a07f1c06088

SHA256
e473233c71a8855f9d52fe131830b56d0b5ea9b6eeb0e2d5528cbef29360668f

SHA512
b553e90455a4ad9f3e64d9b08ac4a71d99eb2386cd1ec2e2937fe52317c5e6de3794c471a52d1bd400e01277583807563b630cfbcb4ad2792111847eaa81f919

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe

Filesize
764KB

MD5
e5d7bb8de25b1a417e274629d969600b

SHA1
d534e9c94af7c211ec36b2328b4611234a6b5a71

SHA256
2f7398a7dc31b4084edc140f68fd34100139153305afa6038a003aebd55f9fb0

SHA512
80d267fd4d043af41e90a1ece3aed74ab0af5728a5ba5d80cff7172910114af27fa36db714bb4cd084628f3141dea81f7d1a74532533d8dc8e99c5cf296ced6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe

Filesize
7.2MB

MD5
f4c69c9929cba50127916138658c1807

SHA1
b1b760ebd7eaa70b038fa6f159ac5aa1ce8030fa

SHA256
939ca243bd3a5bcdd5d617365b5331ed9c3d7861ab212bf8576a02de2d941d62

SHA512
da0436a5db456cd692cc378f911fc3c523fcc32b9e7e61b272b17a957d404c90d5d0830831975d817cf7fe69c3fb65f59a2a17d12e6f9215d4bf7fb65798b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe

Filesize
1.3MB

MD5
1b99f0bf9216a89b8320e63cbd18a292

SHA1
6a199cb43cb4f808183918ddb6eadc760f7cb680

SHA256
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

SHA512
02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tup.exe

Filesize
4.1MB

MD5
30a39343008efbab70b632c274e6f7e2

SHA1
566b9693a3aa39b17f34c02cffdf906e64778932

SHA256
5d1a98b024843417664b60641064995335e2ea31220124723908f59e926dab06

SHA512
1d4047fed9c6a48840a587fe2a4586a34e00f03dc64ae31e0c2345f52283205fc9165d6ec15d6e6c81032a5948065ba6047f4785c5a0666aea1fe417202084f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
48KB

MD5
a6fed209276015af14b2f088d52282af

SHA1
7ee00d72c43b4f6720340637b2773e88664a1b70

SHA256
c7ddec717bda7e1ef135d2815a795df62157cd14f1ac45c44c91868ae72c80d4

SHA512
b7f0d9279c556e58063ee768c078fec87993596463f5006fd7510527a49b3d598584ebaf6d9894340313d46961cbfbb09a0c7ed9c86c5d7348a791d4f5817f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VPN-Installer.exe

Filesize
976KB

MD5
ec2890a2d11d0b67f873821d6b83fca3

SHA1
8e21eee3a1b154a3f2ca55f2075b3c33dce7a294

SHA256
3d7e660d66413479c2addd32a9e96691452b5d3cac5c5e9ef487bd18ad48739f

SHA512
2f18ab9c642b6aa13a39a2223980d544e2a549ae3feeaa09a61cea3a5812a81ac504c883b97947d9c84574788b182c0aa899e9524711f91692b714c47ab20197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe

Filesize
45KB

MD5
8123d15bb6100a19ac103b4ec3d592bf

SHA1
713d2344beb28d34864768e7b2c0463044bdc014

SHA256
68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d

SHA512
ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe

Filesize
27KB

MD5
feaca07182c6be327551ba4402a338c7

SHA1
5c699eb735def4473b9b02de282ccead84af1061

SHA256
26e9813dd9d80e2b2441d799608214697d7262e24c739bcc11563756c22d3efc

SHA512
0ada77bc81af9b5d865f06cd6f91457281bdebbf07183367b7d3d0bd598ad7d3ce081b0d1f0741efbbe6c3839620bb17b637ff9727cb3440d5b96b3eab70dda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
326KB

MD5
f48972736d07992d0cfd2b8bc7972e27

SHA1
017d47686c76c1846da04992909214651972905f

SHA256
56d97e9f42ee5b7efdbfcd7d56da50e752fb08599f3422ee0cc9b697a92e56da

SHA512
1bac6e0f66104bd66505647c845b4b2eac918fb5986004325417dc3f9bcb20be39965bbca6781244e009966b49ea2e78989ca69a5c49f26c656fc8c0399ba345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\base_library.zip

Filesize
858KB

MD5
1ebb920a2696a11237f3e8e4af10d802

SHA1
f86a052e2dfa2df8884ebf80832814f920a820e6

SHA256
d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

SHA512
2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\pyexpat.pyd

Filesize
187KB

MD5
983d8e003e772e9c078faad820d14436

SHA1
1c90ad33dc4fecbdeb21f35ca748aa0094601c07

SHA256
e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e

SHA512
e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3e579844160de8322d574501a0f91516

SHA1
c8de193854f7fc94f103bd4ac726246981264508

SHA256
95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333

SHA512
ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI71442\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbhz0ejt.jpx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\current_version_DiscordSpotifyBypass.txt

Filesize
3B

MD5
cb5ae17636e975f9bf71ddf5bc542075

SHA1
180505679cfe0cca79bae51fdda0296b7cd9c493

SHA256
14be4b45f18e0d8c67b4f719b5144eee88497e413709d11d85b096d8e2346310

SHA512
957f720b6d516c8e273968c9be2ffbe146329c1a11a2097844206f030dfde1f4efe3379eb68316d1c7426457144d9576dad04e46b10c0ca8d8b9a5d668387a1b

Download Submit
memory/784-5-0x0000000073A90000-0x0000000074241000-memory.dmp

Filesize
7.7MB

Download
memory/784-1-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/784-2-0x00000000050B0000-0x000000000514C000-memory.dmp

Filesize
624KB

Download
memory/784-3-0x0000000073A90000-0x0000000074241000-memory.dmp

Filesize
7.7MB

Download
memory/784-4-0x0000000073A9E000-0x0000000073A9F000-memory.dmp

Filesize
4KB

Download
memory/784-0-0x0000000073A9E000-0x0000000073A9F000-memory.dmp

Filesize
4KB

Download
memory/2644-58-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-72-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-82-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-86-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-88-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-90-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-92-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-95-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-96-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-98-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-100-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-102-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-84-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-56-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-49-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-48-0x0000025523CA0000-0x0000025523DA6000-memory.dmp

Filesize
1.0MB

Download
memory/2644-47-0x0000025509450000-0x000002550959A000-memory.dmp

Filesize
1.3MB

Download
memory/2644-1146-0x00000255242A0000-0x00000255242CC000-memory.dmp

Filesize
176KB

Download
memory/2644-1141-0x00000255241D0000-0x0000025524224000-memory.dmp

Filesize
336KB

Download
memory/2644-1124-0x0000025523B50000-0x0000025523B9C000-memory.dmp

Filesize
304KB

Download
memory/2644-1123-0x0000025523AD0000-0x0000025523B50000-memory.dmp

Filesize
512KB

Download
memory/2644-78-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-74-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-80-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-70-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-68-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-66-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-64-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-60-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-54-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-52-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-50-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-76-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/2644-62-0x0000025523CA0000-0x0000025523DA1000-memory.dmp

Filesize
1.0MB

Download
memory/3040-1137-0x000001807EF90000-0x000001807EFB2000-memory.dmp

Filesize
136KB

Download
memory/5076-27-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-28-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-22-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-18-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-17-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-16-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-26-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-25-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-24-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5076-23-0x0000018915400000-0x0000018915401000-memory.dmp

Filesize
4KB

Download
memory/5504-3707-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download