orcus | d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RamBoost.exe
Size

11.1MB
MD5

a5c93db4c83dab084d6d4ae80ce1e527
SHA1

e90866ae65781058b98cb155e35b7ce1445d6139
SHA256

d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f
SHA512

e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7
SSDEEP

24576:CuQ4MROxnFD3+74S4xrZlI0AilFEvxHiVq7:CuzMiJxrZlI0AilFEvxHi4

Score

10^/10

orcus discovery ransomware rat spyware stealer

Malware Config

Extracted

Family

orcus

dandev.us.to:1015

Mutex

33346576134e432b900bfc3fb9baec32

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%temp%\Updater.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e4e3-54.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e4e3-54.dat	orcus
behavioral1/memory/1628-64-0x0000000000E80000-0x0000000000F98000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	RamBoost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Watchdog.exe

Executes dropped EXE 6 IoCs

pid	Process
4520	WindowsInput.exe
1592	WindowsInput.exe
1628	Updater.exe
2708	Updater.exe
3868	Watchdog.exe
4540	Watchdog.exe

Loads dropped DLL 1 IoCs

pid	Process
1628	Updater.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	RamBoost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	RamBoost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Updater.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly	RamBoost.exe
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\Desktop\WallpaperStyle = "1"	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\Desktop\TileWallpaper = "1"	Updater.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1874072718-2205492803-118941907-1000\{635C718D-F4C6-4085-89C5-F7BD55256927}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	Updater.exe
1628	Updater.exe
1628	Updater.exe
4540	Watchdog.exe
4540	Watchdog.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
4332	msedge.exe
4332	msedge.exe
1628	Updater.exe
1628	Updater.exe
4540	Watchdog.exe
4540	Watchdog.exe
4368	msedge.exe
4368	msedge.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
1628	Updater.exe
1384	identity_helper.exe
1384	identity_helper.exe
4540	Watchdog.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
1628	Updater.exe
4540	Watchdog.exe
4540	Watchdog.exe
1628	Updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	Updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	Updater.exe
Token: SeDebugPrivilege	3868	Watchdog.exe
Token: SeDebugPrivilege	4540	Watchdog.exe
Token: 33	4264	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4264	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1628	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3672	388	RamBoost.exe	88
PID 388 wrote to memory of 3672	388	RamBoost.exe	88
PID 3672 wrote to memory of 520	3672	csc.exe	90
PID 3672 wrote to memory of 520	3672	csc.exe	90
PID 388 wrote to memory of 4520	388	RamBoost.exe	91
PID 388 wrote to memory of 4520	388	RamBoost.exe	91
PID 388 wrote to memory of 1628	388	RamBoost.exe	93
PID 388 wrote to memory of 1628	388	RamBoost.exe	93
PID 1628 wrote to memory of 3868	1628	Updater.exe	95
PID 1628 wrote to memory of 3868	1628	Updater.exe	95
PID 1628 wrote to memory of 3868	1628	Updater.exe	95
PID 3868 wrote to memory of 4540	3868	Watchdog.exe	97
PID 3868 wrote to memory of 4540	3868	Watchdog.exe	97
PID 3868 wrote to memory of 4540	3868	Watchdog.exe	97
PID 4368 wrote to memory of 1432	4368	msedge.exe	100
PID 4368 wrote to memory of 1432	4368	msedge.exe	100
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 948	4368	msedge.exe	101
PID 4368 wrote to memory of 4332	4368	msedge.exe	102
PID 4368 wrote to memory of 4332	4368	msedge.exe	102
PID 4368 wrote to memory of 2376	4368	msedge.exe	103
PID 4368 wrote to memory of 2376	4368	msedge.exe	103
PID 4368 wrote to memory of 2376	4368	msedge.exe	103
PID 4368 wrote to memory of 2376	4368	msedge.exe	103
PID 4368 wrote to memory of 2376	4368	msedge.exe	103
PID 4368 wrote to memory of 2376	4368	msedge.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RamBoost.exe
"C:\Users\Admin\AppData\Local\Temp\RamBoost.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s7h-tiea.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC197E.tmp"
    3⤵
    PID:520
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4520
- C:\Users\Admin\AppData\Local\Temp\Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\Watchdog.exe
    "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 1628 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
      "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 1628 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Windows\SYSTEM32\shutdown.exe
    "shutdown.exe" /l /t 0
    3⤵
    PID:2516

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa206f46f8,0x7ffa206f4708,0x7ffa206f4718
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8392429432431294559,2877574301138678822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 /prefetch:2
  2⤵
  PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x378
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Watchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
66KB

MD5
8aca43d81fbcf0101c7e53ff877b02db

SHA1
1bb8d51755ef67dd2e5302f87585b0ef3abc261b

SHA256
c2bec5b217c0428bebcd6337b94dbbf943718f0608bf47edd29ff6bdaadf454d

SHA512
1a0d67dd5725f9864556ef6e26b3f21c3cd74d6b2e2b6577f416df617251d41351881da5e7e5b9d6fb042a5f506383c825cfca20f5526ba0f56bc7ba0719853d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
4e2d28213a144f7fe033109dcbe61e98

SHA1
727f656af688751a2e19903d8214ece3eb3eb42f

SHA256
c0b97c401b13244ad806940bb40abbd263b269842bb4bee5c4b446545b4d7700

SHA512
0958028902f4935e6c58c0aa73dac2f70cb69c3d555dee608e0baa6faebdcf6b247c5e85bde49eef16b75f93d3923ba1d76fa7f642e9fe41ebaa3ca757cb2750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
72B

MD5
13d241c8d2f65205c185b94ea3ffc078

SHA1
47a5f7b761361c173f178e7c9cde08c724cfe1b4

SHA256
5aaf4f7e49b442c5585b8b4f5cd1f30c4ceb0c19c242ad03eb740673392b1d30

SHA512
752a631948122b4fde144e3539ebf3683eee8819e8e3805556b5d922b09302ebc377e45ef1e0bd240792428111eaef8ee9e5a65c572ecae33632422548719b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6098c48e6e9a693df16779ad06d26bdf

SHA1
87e7d3759fa9d2da7e705022d49370ddbd214132

SHA256
667e7bfd1cbe6a0dbacd56e94db4eb592570027c382744faf3f1ffeea3a6e5a7

SHA512
b6fe8adad2b56dbc6248013668f954e621bdeade3005f795e3babce94954ce2b728dc5be4abd0c9452c0d4435ca706319df5e41769298adbb4ed5116c7b1cd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dbdcc06af0989021f1b8ff0b1b19953a

SHA1
0e9e90bb8e41cac96a074eb5d619c9d5525d76b1

SHA256
ac1f2d56aba526a543b4708b6564c56612c8ce35acc73a0902a70142aafdbdd4

SHA512
335ad5f441e347ad90a6f6fe2bf13e8b589cf2b73567d32e9ea1f91bbfa7e06d2d3223c14fc39cd24e047c5d6c8d50daa37f88f45c564a1788acd26e6a401c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
800bb333c733c6d6a4b75ad28f10a514

SHA1
e90053f0fbd5994d239bc9872e26179ec9e5c2eb

SHA256
965f06f4e96e7c80fb37a8c6fdef6ec589f9c925e95ef0a094fa7cd60e9ad411

SHA512
83e0134a50bd153c5f9b52a85c738d34d679909a3f6703e12499cacf0acbaec29636f6daf05778d3f7bdf8f2c36f5959015ecd6eeb2bac79fd12ec83fafed54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53ee671fa148f6413bb7a3a7157e0592

SHA1
1e80e22d6fc84afbd135fe3feeddb0fc3b55a1cd

SHA256
f92f5a36b45f7b0b0b7dca8c92cb329dda6d12d1ff71a63b0080aeb9b85a05b4

SHA512
e3f2ad7595a1a36f9d157f74d0018c520a9072f2ed87709578bf01acc13000d1a6f4ae24934d4012dd8085947961426c915e3ab1594ca91f99f0a1be5f4cf3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
3d7d0c9ad1aead4fef9ebeb027baf6aa

SHA1
96d8fbae1514b826e0dac9a157d2609a3aa1c956

SHA256
84d35ceec78b7b2cb2f60022a0f98a15959f2325cc9df045767633dd128b1e23

SHA512
bd3aa59b5e2eaf8f5f6d999d8bb8db74d00a214b88ea48e5796dd65697371da54e73734f703af70a37e9577ea43d13ba27afe74194e5646f1d5d4b74ddfc7998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58db96.TMP

Filesize
48B

MD5
f3f464ee4c3af157ca282ee216064101

SHA1
525598835dd7a86d6d00809385f1bef07e9ebe66

SHA256
75a5142288ef4af7cf7290c1dbbcee8ff49cd13cc0176752b403154ff687b37f

SHA512
fce0ddecfc6b326f125a50b18def21a848e22019b837eeea05d78140e5ca8c09aa32e01a5655df6d18cf6c861639dd3bd5dfa1c8db0c6a01faf5c92788f7db53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
3388bd69db0ac3d62a8b8d64d5da30a5

SHA1
df74aca381418f7bdfa16ef082f01a473303a94f

SHA256
0814f5045fa7c8c4339a2c62f9ef663e623f6eb1a9bf2648c72607bb29c4bba2

SHA512
8028496f8c06a6119d8415a75daa4235b08595ea6252b106bf1616659d865ba33e0512f7851782f259d9c964ab1e6eb4c7731da614be2007b480deacb258d3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
67c4c93e6c742a6b2c334de5c9e8169a

SHA1
343f6f914790c86a99837c34e943814be0cd2eaf

SHA256
79b098bf55d5ed8e7de43373cd0e0413599488b8fe93e6e87ea19b222abf3814

SHA512
582915e5c56a2c53a6d433c3ad17df82ba3fff98f33e8fc0fc1fb300bbd2bafb37a22e734aa416fec20ec901a8605510b748c2876a3a7fe13e669d77c1d4c646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590110.TMP

Filesize
706B

MD5
6075cff33b72cfa6bf0b851b24fc9900

SHA1
fec706d53dbb5ca91797e481c8c1e3495d8428ab

SHA256
6f8fe125f19f447aa42d872792d5711ae55a8da07a67db9b97ead0482ff9509d

SHA512
f2fbae544ad311fdc9d6608919ec72cd63d7addbfb4e6db3597bbad1a560a7c749ee394c45f30b2437329361201c44589b30aaabbe7834ec372b8a44f0172833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
accdbe81e81ac6b87db2431bf8957942

SHA1
a356012259859cbdf1fb67882e616bd87a457453

SHA256
5bb9d3a52a90347eef7db43f03ba21350a56284cda2aa326a33ec2811118a1d9

SHA512
f377e97caccd096c78e8f3103f651c464ba5367a4e09bdfd0358409fa0a38150d08070046ba0e7129f5052400796e0bf17e2a07b3e0dc057c428a3b47cd13299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES197F.tmp

Filesize
1KB

MD5
987a462bf0ca39bc2df39b19f1cd78fd

SHA1
b4b1b43b441520ab927fa37a8fc53ab78bab90ef

SHA256
e265a777e7ee65382dad5cbcaebf3271e4ec9d6a3c0a75777723ef22ea637fac

SHA512
02693f8db019a28ccee44416a40de49e6a38e9c48c21f25f5157bac1c83e4e4eabd45e57c156066627ea2982f24d037cd3b49d966df1fb140cff980fe8212947

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
11.1MB

MD5
a5c93db4c83dab084d6d4ae80ce1e527

SHA1
e90866ae65781058b98cb155e35b7ce1445d6139

SHA256
d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

SHA512
e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s7h-tiea.dll

Filesize
76KB

MD5
0fa0301d006b2e20732d8a5aa229c3bb

SHA1
77fcaff82507d980ae8eff73cb015cebd4460156

SHA256
efad1433261eebe5e0442f851ffd492022506ec27b45f14f136ab474ac53ae07

SHA512
09966d01bc9ac48d6accdf1d6366459bc3e93fe9ed81959a03ad2d7e883ebc0d199e33a70f728025d3eca90e5bc17869030e8c0c1ff5c40b0e7673fb5df4070b

Download Submit
C:\Users\Admin\AppData\Roaming\RamBoost\lib_33346576134e432b900bfc3fb9baec32\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Desktop\AssertNew.txt

Filesize
769KB

MD5
044f90d6acbefac5171cfbe09dfe3690

SHA1
0b477fd122899b3c15efd13dc5969bd40d7c6852

SHA256
a4d3f9b392b24d279b3570c53a85536cabee445d33902b7c521920b88d400fce

SHA512
15e1c8b348733a7edc946d7249225c422f9331ca5d3076da2b7294c65c309f3423ba8ceed008167f301806ecd9af9d6f07d3169bf5817e97aa1aade7a332de28

Download Submit
C:\Users\Admin\Desktop\ClearResolve.vssm

Filesize
843KB

MD5
093d4c78b5dd2a09bf0f6faf14f8416b

SHA1
17209d66f6d2fc977a2c824bc52d887e0096357a

SHA256
d660c343191dc87eb02bafe77e2f03b3c6cdf913114c28f941f63e25a3c2bd4c

SHA512
f4767d63692851c9a3f4636340e6ace0c5123505fa44e7df4bf05104dde28e8050f7665c08a0bc98a1a81670fc9ef77f815b1c77c94cf6c017c084caabb5988c

Download Submit
C:\Users\Admin\Desktop\ConnectExport.edrwx

Filesize
496KB

MD5
7332a5e48584751808716df8d1655980

SHA1
a625be13c361fd51ea8958f85fc16ff2559aceec

SHA256
153e0ea51a8e18257978cd0ac1d0b240085e46561483bdaaa1f2d4275dc86a5a

SHA512
27c2d7a0693871dcfc78fe618a7698f42e0f6e4abf6e16a22345e0042ac269a43421682e6341979a9214ca6c7696d85073b02cb027aef6d3537181ac412a4923

Download Submit
C:\Users\Admin\Desktop\DenySet.xps

Filesize
868KB

MD5
e8f7081ea65f349d2abea54916eeaa9e

SHA1
f86958840c609e1d36cb77195edf956da721555b

SHA256
0dc0efa87d15ec2bda56c73c956e4e76ff37ea5779cae14dddc0cd280ec1bcf2

SHA512
81674c31b97384f7a58314fb5c358f909a9e6eabc0213a72597ac427cd0c928c485c26aa2308d39a5ded481edb02e99facb01faa6fb8dd06bd51a5dfe05d5665

Download Submit
C:\Users\Admin\Desktop\DismountDisable.pcx

Filesize
670KB

MD5
d9f22deb714b4b8a5fc6e086b18adfbd

SHA1
049391384d0213128c9ea95c1e014e324615a545

SHA256
b7ca8a007200ffec97df537161fa4f76bf0dc6f95aee4e31e51ce9f616eeb711

SHA512
c5326011af70cbfc7d8e490145249f95a058bc3b391410bbd50c3dfc4f91d58d8523844afe728527694fb600fcad5514b344295749514cf67b512e30d8e1aad6

Download Submit
C:\Users\Admin\Desktop\DismountUpdate.gif

Filesize
943KB

MD5
0c91eea8734ab959a1895b973aa5797c

SHA1
5e418f750e3791d0c5ca686f04f9337e1b2d1899

SHA256
93aeb4ab9ab6281d0147f4adc420b39dffd20a018fb228c49c0b5d91e2ec6484

SHA512
329d2c2dd20410d6e2c56d953af884c1f58f05754fa895ca1279463debca68e19ceb62895a26e96ab5e26d2e882bc2ee6c50786cebfc3299f275c8caa13dc825

Download Submit
C:\Users\Admin\Desktop\EditWrite.xls

Filesize
1.3MB

MD5
7f77378b79f90d99d95bffaf28b72436

SHA1
3a878fc5c46df90cd73240c8537b096b546bc25c

SHA256
722bdc48e166a97b5c75d5c1fa08d7a745c4a780ce1940ec4ff45f229bb84e4f

SHA512
f4dfe34d82b1087da35b0f0001120081677b21f47e422610760ab3e6583abb14b22372f5cff7d55dde89faee9cda94d06fcfc808f272bbd91a3111e589cf6a12

Download Submit
C:\Users\Admin\Desktop\EnterDismount.ppsx

Filesize
421KB

MD5
8473d636e496c5969d9745bca0e0a572

SHA1
9e87a85e07025507422f8f9da69353488e417974

SHA256
7ad02b24546e9fa095d5a603a2b1c678f350aebfd3459fc35ea4403eb3837162

SHA512
425faeb4df76c37c99768f3ecb08e17644f41bf65da7f08c831a183ff69b63bb1bc2c4db3ad5c1f67a8374f313ab2b4b4ad531f25a2737fc73fccd9ba38a4451

Download Submit
C:\Users\Admin\Desktop\ExportEnter.bmp

Filesize
818KB

MD5
62794cc1f78af1feb8078f08fb3785ce

SHA1
b1ea61120f9ccb3687048ff882f07c07e19481d8

SHA256
7e746d203547737fba85ef9c4ba9637e9e9ef9678574eb17bd1807e93ef4eb24

SHA512
3bf03e9c7e02d94b61666c14a513456bc652ad1d9e543dd38a93c5be7acccbfa45e4efe348ea5a8103ed705f04c5b25ea2ff6bcb60694c7322811b5d032d6d28

Download Submit
C:\Users\Admin\Desktop\HideGrant.wdp

Filesize
992KB

MD5
386ad27d7ba8e62063c6dc395d4473d9

SHA1
ce75627f0b942cfebc19f8f827be517ae3ac7554

SHA256
cd77a9fef2ac36ef921b85db2eac4ed657f4fcf8805eaaccd79dfa936898db5f

SHA512
8db499e3d8e51111e1d8a4073d3fb763d1b20a255220e5648efff44b07a1db3919bbb1649f1961be64213144f2d84bb2578832dff4b064f2262f69023436b13a

Download Submit
C:\Users\Admin\Desktop\InitializeRestore.html

Filesize
620KB

MD5
b013910ac67e0ab2685ef08260c3c94b

SHA1
9e08160ae1d1b4ac11c0ac1deb23f6a7152d5351

SHA256
3989c3074fad2c7434e92f14bc4976de663d3b332eea5997a10943928969b3a0

SHA512
115a95bd5794502c3ffac01b5087bd1eaf2ecb0d00448a75b8c4da663bd9bd35125b2750a9e54c27d3c19ab0934c6ca51163181b2f83d63b1e42590edf71b62c

Download Submit
C:\Users\Admin\Desktop\MeasureNew.wpl

Filesize
719KB

MD5
b67dead00fd94148c3a4f57b61b932f1

SHA1
283a238132a90192d4941c316ae578a3325dc197

SHA256
0f9bd2dc575761c62e70f3f7c5513c0a8f31ba1a3baa24918b0ef77dd8be814b

SHA512
87dc88a245dd456d0450589324abac21fc3340e6e5c3610c6ecbd7b659a72c96a09a205799d2c85b15e7a24a3146b05f0409449ba50a1744201d87b318e38c67

Download Submit
C:\Users\Admin\Desktop\NewMeasure.mp3

Filesize
694KB

MD5
0ca6d8994393705364dcf53f999a0fe4

SHA1
0bc717cdf4931a08ddaec80863eab580b3ae84cd

SHA256
21b883455c9336c9a4a53389b2072854111a6d210345a0e6e9dd5a4922730eff

SHA512
a5ecb179ac38a9d63a7142ac4566c930eb80b38724d9212f6cce484b719ae3c422efe3fb3838ef22e69a1b82806667dd60463ab02799587f59f574d59617cfcc

Download Submit
C:\Users\Admin\Desktop\NewOptimize.jpg

Filesize
446KB

MD5
404fd1b11133e09edc5b381c303f8309

SHA1
cacf5907139ff33eff794d99cc4f1695b507ef8c

SHA256
376179718394665062c09d8172bb29b46f32232211c07bbba7b77e62d614fee4

SHA512
67a151d13b9e5b1dcd90df2d2279af1bf2493b7e9c0aa06cd8524c17b49feb0b5158db92964018de1f3060616f4ba7ea8b42731cd27b7b75d9959a9fc9197c89

Download Submit
C:\Users\Admin\Desktop\PopUnprotect.temp

Filesize
372KB

MD5
6cfcdeb57078df87d759048bff90d167

SHA1
519585fc969edcd6c6f2f90fc3f6e8d1c2a41333

SHA256
154abb2621ada8b2007a0f28635714df3a92d14a5a3fed90dae7a9c0ce0ed621

SHA512
a2ea284326ee4146d7000a56737638c4b6e281e2071b3e96ba0854fb68e04b86412fb0b7b235b3042b99c1f120d01f1c63cd03f2dba23087deb568c03a857314

Download Submit
C:\Users\Admin\Desktop\ProtectResize.TTS

Filesize
347KB

MD5
594ef392b91e87403e2a54ee136f92c2

SHA1
25a802f16f5e2777bcdcf4a71ad8d5dd9903efb3

SHA256
5b848cbf0f92e22c8385c7b588de4811891c63896cbc8932cb28538ec9a29c26

SHA512
4783f063b2ba89b6986f235997439bd00b81bf7eeeda64ff77f0034df608e4a68baadc76cd55e97aed27d4230edc23e543a21abf30ee694cc3a34ff56c3a2914

Download Submit
C:\Users\Admin\Desktop\PublishRestart.shtml

Filesize
893KB

MD5
d25fef0daaea421f5002560b987fef37

SHA1
a46b9da6748d710e6314d6ce52fc6bf322398bf3

SHA256
ef96ab35bfaad3c023f50c35a0620a1b89f14882bb780fa0cb88379ebb955dc4

SHA512
5285e4b649d444e62550f72bdd88fb0e8f5fe2d106cd5789f4044926edb732d8dc8ae0007fd1b1ed1d9981f51f2b7499d990d913a369dde16613fd792ebcaaa9

Download Submit
C:\Users\Admin\Desktop\ReadRename.aiff

Filesize
595KB

MD5
4fff5986eac3b2b7b2a7eb0a9f08ca86

SHA1
a1e7a9111b1880c056d22fde97198ec173c80511

SHA256
9fa53f2270bac9539b53a9200ebb319c8e083f659b472f4005edbee6f496c8af

SHA512
c7a75aa2606cd0fe872dd247dda4c7f340c3b9871e1888fbd38fddc6bf7919e46b68d8c3840dab1273b12ccbe395c4da8f463193cdfb0d62fd60b35971c685da

Download Submit
C:\Users\Admin\Desktop\ReceiveOptimize.odt

Filesize
794KB

MD5
ced145fed3ce1941390b73f604374552

SHA1
3fe981aa9f85e552de031d2bc1e4eb79680c3413

SHA256
5cbad5b44612d7264e7ca167b9823e8e8c8c01c3eedc92eb5296c7a78b3c76d4

SHA512
8f45c62c225afd026db79ddf9fa920e431794cff207e07dbe1d0d80e61c571b3e22d0deff1de481148cbcdc671e853a80aa6a7f2eb6abec10fb8800df3482326

Download Submit
C:\Users\Admin\Desktop\RenameConvert.vsx

Filesize
967KB

MD5
a93e5745a94676129382b0d47a0b8eab

SHA1
5c01f667ed0f7f60addf623e10c70d49cc10afcd

SHA256
498a5906976051c8e49ec59d0fa9a65a315b13906c74b11ed101ed96a60f01e0

SHA512
bb99b737cead2ed0420d5a09016fa434cc8a773a86428749f34adf6870e593760f388713106ca13262cb180b1df642b5d2af53e33fc9be82487125b5d9360a05

Download Submit
C:\Users\Admin\Desktop\RequestDeny.docx

Filesize
15KB

MD5
e0b18d112b58d2685ca7d05f5eb2bd23

SHA1
6a4431ca75ed6bc0044db506b30115cd3465a664

SHA256
5563cf5cadef46a1246640b7eb8ecf5b44017f5b1d058a9e139a37598b62535c

SHA512
926dc48aa636557e1c94f545fd7b2c76df879f1e8f13e4220614851330fe4b4de73c2a0665b3458c2452d8b53973f984680124b3df503a81b76c0a8146e20efd

Download Submit
C:\Users\Admin\Desktop\ResetProtect.docm

Filesize
397KB

MD5
abc070c57b2e0981e36302271434d659

SHA1
285032c421003653c62975b93c62cff343066ec1

SHA256
728594077a4ad4098f85483a431a49d16bdbb20f6c15d1b0b14f47391ef0a5b1

SHA512
4d51e7062e773dee35aff11c632ff3150f4a9ee82516a8b6019ca3c0f317e198f8fe4525bedf8934882b93d34831b5890706af8776ee6300f027d257b93ac6db

Download Submit
C:\Users\Admin\Desktop\RestorePop.xlsx

Filesize
10KB

MD5
36d75613f441293c4c56ad656ee0de31

SHA1
51ee92d11b1fcae5808a7f9e57145a5454da8b99

SHA256
6f699073fb039d4d0eea04b058c23941fa6014aac2ade5a802669584f26a5419

SHA512
d5a49927720537ae1d7798269afbe647db4de6976c41d0713ed7d1bed9f40f6d4174b99c85497ca66b5824b45aa38327a1cb46cd53e5df50596c4998ca5ccf39

Download Submit
C:\Users\Admin\Desktop\RestoreSplit.mpeg

Filesize
744KB

MD5
ee11fcbb008cb54acfc4234c1908c5da

SHA1
3cd3a081159af59d52924a4a9121982bb4a91349

SHA256
25c457065a954152293cd1a8c2ad9181d7a1ddaa5dd64ffd93e1b5e1a3e518cc

SHA512
92f01fc91abd7b81cb9692311567d07cc6a1282776f308a6e4d5d15fa02fbfaef28c5f173dc0cb8facb87ec9c6ecdc7a4669c45439266378229864dad397573f

Download Submit
C:\Users\Admin\Desktop\SelectProtect.iso

Filesize
471KB

MD5
9af339eeec95764784ffca51f5e4659f

SHA1
acef98d0b27e908dd37f9c0a3ed26bb37d360556

SHA256
1dd8c1660e2d6949eb4a3293ae41cb3beba620b292ac3e1ae13934e1c4153496

SHA512
6822ef61a78df78e923ec23ed3220e3c5800426ccbb26c01791c86a9c5a3ea47410748718293ff3b9b5b69cb5e3d9616aead9f0faebed8fdd4d7ea94b3128b2e

Download Submit
C:\Users\Admin\Desktop\SkipDebug.wmf

Filesize
521KB

MD5
178e9b3da6d125279bab3acaec9d5dc2

SHA1
7b8e6f3c0362f52bee8584fe8fd5999e479c432d

SHA256
742b7f297dfed313debf5e455a0d50decc12b32f5bbf1fee6b6aec69fc78efc3

SHA512
20a4425d59d26b65f54a431158ad061f8480e64be782510bbfbcc217404122f29557bbd1bc92d55f88233b33a017e01d37d38f24725685ac855cf80c3a66d526

Download Submit
C:\Users\Admin\Desktop\StepExpand.css

Filesize
545KB

MD5
f1e8e0fa45994038273362a6eae9dd42

SHA1
ecc1c2fa37cf9b3e98b7c7849c7f54231bf9d1ee

SHA256
3d30e872d4c78f4d87c266d2ff82bcd0aa7924729ab1caf33cf584e964f3c54d

SHA512
5171b2dd9edfd1f5bbd64b532687320373ce47ed1d2b14971c5bb53adf64af4b1f0183a19add492827a829b652e7931895b8f671944f762de2e9e434d9d9d8d9

Download Submit
C:\Users\Admin\Desktop\SwitchDebug.cr2

Filesize
918KB

MD5
2f72c04fc2922bb203d72e1c086b31f9

SHA1
afff93519f28dd105ba7365aec986e31d0c22de2

SHA256
7043b903581801122ea5fe67e8313097812c55e59085eb254ac4829c6a2cfa42

SHA512
691b118121bdbe62af437222273a1541574ae0e972ca40edc0ba479ece0786a0e7d013fa2a594b0e378245d604239453c1455afa8a6c1d35ba94c6837f4e3cd1

Download Submit
C:\Users\Admin\Desktop\UnpublishResolve.php

Filesize
570KB

MD5
38a956cf7b5bbed1e364ace25a596a59

SHA1
1a66637718f065618dc3a08f4f0e4c25945c6222

SHA256
eb6215eb1cf5e50efba536394f74dd8c91f422fb8fa953e0dc4a1cad6a257176

SHA512
b29af9996091b8684c84ea301706a3a4167cb65de390c80f7bc48d44d200fb1dd136c0b77f91dd92bcf5581340a80df545d503aeece0edc3c2bba16422378929

Download Submit
C:\Users\Admin\Desktop\UnpublishUnblock.wmf

Filesize
645KB

MD5
a9853f4173aed71c5e23d6a71e54feaa

SHA1
421473e2d7c29e0e4f03d4443bdaa59d11d96d77

SHA256
d0bb67daa55b0adb38d272dc21a792966f1de737d4a055e106b11729fcdeb099

SHA512
064a0a05e22b6607608d75d89984dbd70e11c60bd1c5c8919eaf024ab59e45108a2a41823d4ff9e71545cc3426d1938f33f41737526b89c7f39e09f3a49aaa3b

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC197E.tmp

Filesize
676B

MD5
bc881ca7b7062202b96fc558680a3d44

SHA1
221cf4aae6997369644107009c3a8883958f3a59

SHA256
eb96bbada82cc7231117acf81d911c3a60f4b5d91d17c242713ec6092b12e2bb

SHA512
d8ab675e2202760457e07952ac6c8bd229f38dafe1224222762fcab0d0c564ceed410c084ca46dea3d7ec104cdbc1ec5b52bb48b158fd992032e7b914b715cef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s7h-tiea.0.cs

Filesize
208KB

MD5
3c8b9de38a55cb4c646a8bb66c689bee

SHA1
b0a55cdac0735352a3b7f2bb6a48be637208ff30

SHA256
b6a7456b7d98e91643f71ec9cea90364dfbff51327211071a9c389fdf541ba82

SHA512
b777fcce8fd080f3e8f663bd987a5a7bf0db50e1af6acd612aff1ce7a1921c216370ecd2367188147869cf3f95c7d3d7b0d84aa7122caaf7aba13cbed5bdfde0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s7h-tiea.cmdline

Filesize
349B

MD5
889e05183e3c79e4620d0bc87c9ab799

SHA1
416bb06297bb9f5331545d5a67a96e8eafce4fad

SHA256
1d4f309f64ad5a422e918e1bcfc24a6b3827c9a67bfffa1cbe8cd98e74197b3e

SHA512
b355837a5b498873b289fc2f0179cb5ed552713470004b410834ba5ae2322cc35ac905b42b4f2c438aed5267ef6c1fad0a854b9b25f870aaede152de04fe7c0c

Download Submit
memory/388-65-0x00007FFA115E0000-0x00007FFA11F81000-memory.dmp

Filesize
9.6MB

Download
memory/388-23-0x000000001C4B0000-0x000000001C4C6000-memory.dmp

Filesize
88KB

Download
memory/388-1-0x00007FFA115E0000-0x00007FFA11F81000-memory.dmp

Filesize
9.6MB

Download
memory/388-2-0x000000001B1B0000-0x000000001B20C000-memory.dmp

Filesize
368KB

Download
memory/388-5-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

Filesize
56KB

Download
memory/388-7-0x000000001B880000-0x000000001BD4E000-memory.dmp

Filesize
4.8MB

Download
memory/388-6-0x00007FFA115E0000-0x00007FFA11F81000-memory.dmp

Filesize
9.6MB

Download
memory/388-8-0x000000001BDF0000-0x000000001BE8C000-memory.dmp

Filesize
624KB

Download
memory/388-0-0x00007FFA11895000-0x00007FFA11896000-memory.dmp

Filesize
4KB

Download
memory/388-26-0x000000001C4F0000-0x000000001C510000-memory.dmp

Filesize
128KB

Download
memory/388-25-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1592-48-0x0000000019DA0000-0x0000000019EAA000-memory.dmp

Filesize
1.0MB

Download
memory/1628-380-0x000000001CCB0000-0x000000001CCFA000-memory.dmp

Filesize
296KB

Download
memory/1628-69-0x000000001C220000-0x000000001C230000-memory.dmp

Filesize
64KB

Download
memory/1628-375-0x000000001C800000-0x000000001C844000-memory.dmp

Filesize
272KB

Download
memory/1628-66-0x000000001BB00000-0x000000001BB4E000-memory.dmp

Filesize
312KB

Download
memory/1628-385-0x000000001D070000-0x000000001D0CA000-memory.dmp

Filesize
360KB

Download
memory/1628-390-0x000000001C7A0000-0x000000001C7C6000-memory.dmp

Filesize
152KB

Download
memory/1628-397-0x000000001D3B0000-0x000000001D504000-memory.dmp

Filesize
1.3MB

Download
memory/1628-67-0x000000001BB90000-0x000000001BBA8000-memory.dmp

Filesize
96KB

Download
memory/1628-64-0x0000000000E80000-0x0000000000F98000-memory.dmp

Filesize
1.1MB

Download
memory/1628-70-0x000000001C400000-0x000000001C5C2000-memory.dmp

Filesize
1.8MB

Download
memory/3672-21-0x00007FFA115E0000-0x00007FFA11F81000-memory.dmp

Filesize
9.6MB

Download
memory/3672-17-0x00007FFA115E0000-0x00007FFA11F81000-memory.dmp

Filesize
9.6MB

Download
memory/3868-114-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/4520-40-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/4520-41-0x00007FFA0E5D3000-0x00007FFA0E5D5000-memory.dmp

Filesize
8KB

Download
memory/4520-42-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/4520-43-0x000000001B2C0000-0x000000001B2FC000-memory.dmp

Filesize
240KB

Download