sectoprat | 69a2b85495bbf5fe03c9fa86e6b7b931f52e986a0ad1885583a4486f2b6d39c3

Analysis

max time kernel
118s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msi8.msi
Size

19.9MB
MD5

3101ecfa0802a37677592a003f4005b1
SHA1

cf611230456d70127f7541723af162c6a09d6549
SHA256

69a2b85495bbf5fe03c9fa86e6b7b931f52e986a0ad1885583a4486f2b6d39c3
SHA512

ea9d2b6f211d9e5811d57d1525252d437f0a3a3f81ce21750824ed53967d1f834b1e3908d761e371e3bf3f80d2e35dae362ba451d1bf843f57051b6870b68eb6
SSDEEP

196608:R8DQnkCru3ZBggTPCBAIk9a7911FuyuON7NKmiRT5kozS6A4d2mOmGhIXA:kYkCwz+BP9ZuyuOxNzOkos4zG2XA

Score

10^/10

sectoprat credential_access discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3736-134-0x00000000005A0000-0x0000000000674000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2732	chrome.exe
2040	chrome.exe
4020	chrome.exe
3884	chrome.exe
3200	msedge.exe
4200	msedge.exe
6040	msedge.exe
692	chrome.exe
2148	chrome.exe
5656	msedge.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 3276	2076	crashreporter.exe	106
PID 3276 set thread context of 3736	3276	cmd.exe	114

Executes dropped EXE 12 IoCs

pid	Process
4808	ISBEW64.exe
4908	ISBEW64.exe
4772	ISBEW64.exe
868	ISBEW64.exe
2892	ISBEW64.exe
4988	ISBEW64.exe
5092	ISBEW64.exe
5036	ISBEW64.exe
1200	ISBEW64.exe
5020	ISBEW64.exe
2732	crashreporter.exe
2076	crashreporter.exe

Loads dropped DLL 24 IoCs

pid	Process
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2732	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2220	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crashreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crashreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2732	crashreporter.exe
2076	crashreporter.exe
2076	crashreporter.exe
3276	cmd.exe
3276	cmd.exe
3276	cmd.exe
3276	cmd.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe
3736	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2076	crashreporter.exe
3276	cmd.exe
3276	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2220	msiexec.exe
Token: SeSecurityPrivilege	3772	msiexec.exe
Token: SeCreateTokenPrivilege	2220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2220	msiexec.exe
Token: SeLockMemoryPrivilege	2220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2220	msiexec.exe
Token: SeMachineAccountPrivilege	2220	msiexec.exe
Token: SeTcbPrivilege	2220	msiexec.exe
Token: SeSecurityPrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeLoadDriverPrivilege	2220	msiexec.exe
Token: SeSystemProfilePrivilege	2220	msiexec.exe
Token: SeSystemtimePrivilege	2220	msiexec.exe
Token: SeProfSingleProcessPrivilege	2220	msiexec.exe
Token: SeIncBasePriorityPrivilege	2220	msiexec.exe
Token: SeCreatePagefilePrivilege	2220	msiexec.exe
Token: SeCreatePermanentPrivilege	2220	msiexec.exe
Token: SeBackupPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeShutdownPrivilege	2220	msiexec.exe
Token: SeDebugPrivilege	2220	msiexec.exe
Token: SeAuditPrivilege	2220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2220	msiexec.exe
Token: SeChangeNotifyPrivilege	2220	msiexec.exe
Token: SeRemoteShutdownPrivilege	2220	msiexec.exe
Token: SeUndockPrivilege	2220	msiexec.exe
Token: SeSyncAgentPrivilege	2220	msiexec.exe
Token: SeEnableDelegationPrivilege	2220	msiexec.exe
Token: SeManageVolumePrivilege	2220	msiexec.exe
Token: SeImpersonatePrivilege	2220	msiexec.exe
Token: SeCreateGlobalPrivilege	2220	msiexec.exe
Token: SeCreateTokenPrivilege	2220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2220	msiexec.exe
Token: SeLockMemoryPrivilege	2220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2220	msiexec.exe
Token: SeMachineAccountPrivilege	2220	msiexec.exe
Token: SeTcbPrivilege	2220	msiexec.exe
Token: SeSecurityPrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeLoadDriverPrivilege	2220	msiexec.exe
Token: SeSystemProfilePrivilege	2220	msiexec.exe
Token: SeSystemtimePrivilege	2220	msiexec.exe
Token: SeProfSingleProcessPrivilege	2220	msiexec.exe
Token: SeIncBasePriorityPrivilege	2220	msiexec.exe
Token: SeCreatePagefilePrivilege	2220	msiexec.exe
Token: SeCreatePermanentPrivilege	2220	msiexec.exe
Token: SeBackupPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeShutdownPrivilege	2220	msiexec.exe
Token: SeDebugPrivilege	2220	msiexec.exe
Token: SeAuditPrivilege	2220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2220	msiexec.exe
Token: SeChangeNotifyPrivilege	2220	msiexec.exe
Token: SeRemoteShutdownPrivilege	2220	msiexec.exe
Token: SeUndockPrivilege	2220	msiexec.exe
Token: SeSyncAgentPrivilege	2220	msiexec.exe
Token: SeEnableDelegationPrivilege	2220	msiexec.exe
Token: SeManageVolumePrivilege	2220	msiexec.exe
Token: SeImpersonatePrivilege	2220	msiexec.exe
Token: SeCreateGlobalPrivilege	2220	msiexec.exe
Token: SeCreateTokenPrivilege	2220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2220	msiexec.exe
Token: SeLockMemoryPrivilege	2220	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2220	msiexec.exe
2220	msiexec.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
3200	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3736	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 3580	3772	msiexec.exe	88
PID 3772 wrote to memory of 3580	3772	msiexec.exe	88
PID 3772 wrote to memory of 3580	3772	msiexec.exe	88
PID 3580 wrote to memory of 4808	3580	MsiExec.exe	92
PID 3580 wrote to memory of 4808	3580	MsiExec.exe	92
PID 3580 wrote to memory of 4908	3580	MsiExec.exe	93
PID 3580 wrote to memory of 4908	3580	MsiExec.exe	93
PID 3580 wrote to memory of 4772	3580	MsiExec.exe	94
PID 3580 wrote to memory of 4772	3580	MsiExec.exe	94
PID 3580 wrote to memory of 868	3580	MsiExec.exe	95
PID 3580 wrote to memory of 868	3580	MsiExec.exe	95
PID 3580 wrote to memory of 2892	3580	MsiExec.exe	96
PID 3580 wrote to memory of 2892	3580	MsiExec.exe	96
PID 3580 wrote to memory of 4988	3580	MsiExec.exe	97
PID 3580 wrote to memory of 4988	3580	MsiExec.exe	97
PID 3580 wrote to memory of 5092	3580	MsiExec.exe	98
PID 3580 wrote to memory of 5092	3580	MsiExec.exe	98
PID 3580 wrote to memory of 5036	3580	MsiExec.exe	99
PID 3580 wrote to memory of 5036	3580	MsiExec.exe	99
PID 3580 wrote to memory of 1200	3580	MsiExec.exe	100
PID 3580 wrote to memory of 1200	3580	MsiExec.exe	100
PID 3580 wrote to memory of 5020	3580	MsiExec.exe	101
PID 3580 wrote to memory of 5020	3580	MsiExec.exe	101
PID 3580 wrote to memory of 2732	3580	MsiExec.exe	102
PID 3580 wrote to memory of 2732	3580	MsiExec.exe	102
PID 3580 wrote to memory of 2732	3580	MsiExec.exe	102
PID 2732 wrote to memory of 2076	2732	crashreporter.exe	103
PID 2732 wrote to memory of 2076	2732	crashreporter.exe	103
PID 2732 wrote to memory of 2076	2732	crashreporter.exe	103
PID 2076 wrote to memory of 3276	2076	crashreporter.exe	106
PID 2076 wrote to memory of 3276	2076	crashreporter.exe	106
PID 2076 wrote to memory of 3276	2076	crashreporter.exe	106
PID 2076 wrote to memory of 3276	2076	crashreporter.exe	106
PID 3276 wrote to memory of 3736	3276	cmd.exe	114
PID 3276 wrote to memory of 3736	3276	cmd.exe	114
PID 3276 wrote to memory of 3736	3276	cmd.exe	114
PID 3276 wrote to memory of 3736	3276	cmd.exe	114
PID 3276 wrote to memory of 3736	3276	cmd.exe	114
PID 3736 wrote to memory of 2732	3736	MSBuild.exe	124
PID 3736 wrote to memory of 2732	3736	MSBuild.exe	124
PID 2732 wrote to memory of 2220	2732	chrome.exe	125
PID 2732 wrote to memory of 2220	2732	chrome.exe	125
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126
PID 2732 wrote to memory of 2948	2732	chrome.exe	126

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\msi8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F010FCC0790E030DDE1878C15C57B5 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08EB95D5-ABD9-4871-9CFC-877F04523376}
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A79F5C8F-5EA5-4653-A193-8627D1C647A7}
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0166024-4180-4BFF-B5DA-01A122740383}
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{109A97CB-5A73-4F1F-AFC4-7FD554B11F4E}
    3⤵
    - Executes dropped EXE
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07C9AD60-D806-43FF-ABA0-4FFFF2F41958}
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10822729-8F6E-4571-8305-7C883AC6FBFA}
    3⤵
    - Executes dropped EXE
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46419688-EE5D-4CD6-B2DB-032A602C7E14}
    3⤵
    - Executes dropped EXE
    PID:5092
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8AA25302-6292-448E-BD06-5FFE6E509547}
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{787AC4F2-55B4-434B-B0D3-9DE01FE7A0DE}
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AAA9C42-8EC3-47C9-9BC3-A01BA3E4B4CD}
    3⤵
    - Executes dropped EXE
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\crashreporter.exe
    C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\crashreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\QuickJava_wys_5\crashreporter.exe
      C:\Users\Admin\AppData\Roaming\QuickJava_wys_5\crashreporter.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8341 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffc0aaadcf8,0x7ffc0aaadd04,0x7ffc0aaadd10
        8⤵
        
        PID:2220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2068,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2056 /prefetch:2
        8⤵
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2280,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2288 /prefetch:3
        8⤵
        
        PID:5440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2432,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2356 /prefetch:8
        8⤵
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8341 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3304,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3336 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8341 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3356 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8341 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3312,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4492 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8341 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4464,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4512 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:2148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8341 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4868,i,14622053254208563791,675506767620726165,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4908 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8052 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x24c,0x250,0x254,0x248,0x274,0x7ffc0aa8f208,0x7ffc0aa8f214,0x7ffc0aa8f220
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
        8⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:8
        8⤵
        
        PID:916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=8052 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=8052 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=8052 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4824,i,8838021085145333373,17880373683493238285,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:5656

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Authentication Process

T1556

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
bfee740b01da4b3f406f9ddf91c007d4

SHA1
1354bc1fa64d27ed35b8b298db68af097ac6ace6

SHA256
96e1fc52b5f29f62d99b81fc74bcea1363a01289fd2097a37ec0037a96732257

SHA512
9dc25149dfb5365d1d9b27bc9d43e10dbd64993203e624590e4017ece7c59cb54887674ed74bed1bd39de5ce02fe2bf2fb4c358f6418eb582276ef3e4628c6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8370947147d6848b2b702ca20e7af7b5

SHA1
24b08d5e127abc68d9b3fb1e346eeaf9eee61798

SHA256
536e961257b5e6e7da04296119cda4779459698c5a3a3e4608325ef7488362a6

SHA512
ba2207241581c92c223021277b48787d19cfd899e89edc4c3e40de3968b8cc78293484fd7bb16cca8812202e37870ee6406df63288402ae6367f3266c18317f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index

Filesize
1KB

MD5
bc9cd9b7d5f4c182513f41983e79764d

SHA1
602787923355662acd6b8663bb43d3f32aa7cc79

SHA256
0d9d0ad8d6b63d35e4cb2e3eb36ca163e9021d43f39f23fd666cc40998202481

SHA512
a9800136dd1662bc18ee22a37165daebd7719bb262c198e6b3124ed1aebcc13fba6696c2ac38a2539c83cd6a4ea4f458ebd43cb9480820710b2d05b81c36b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index~RFe58818f.TMP

Filesize
1KB

MD5
f32adb894b3eb8c2a89c0e89d069b8c2

SHA1
ec0e38b050c40f1d299f93691ae6ee91b7cccd18

SHA256
cbf6862c61fb071b75a05fb57d2374da6e06da68f4aaf549961d33c76e98309c

SHA512
6cf853b143e0f9195f6a2694ef4a95ebfac91c8fe1974d18c93ebdc3f2536140719a938f53c2dcdd3c5ba69d52edf783b3da052938647abcbbb4d8f27ebde02b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6cf7902682ab26cd848b27d8f2dece84

SHA1
2b8a3f17232203a790ccc16e10f7e466649ca74d

SHA256
fbdc2da3e8f47af7ec42b99ec76218396d23fc9fcf81d9cf1b918a68ff7b61a9

SHA512
19691586573b0855e234cc46a1f5e75fd4cb6f701e5661fc5b9bf595d0669079aa467ec9a5f81f9142e920d59baffaa6c90afa7ea46e4e175fb8f3fc2f3b64b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6428.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI669A.tmp

Filesize
2.5MB

MD5
308770cbd92375538bdf33f4497b086c

SHA1
433668a3580b611c46177f065b1d22f450a75c94

SHA256
dd30788d51bf77ce8aee05ec97665577fb30909a7530ce143c994ca57b2a1e9f

SHA512
941b7b0edbfe3e4bf7a2cdb005f1e554deae1af5e503d78b0af0b9cfa41d5c2fae4b579c1c5dd07628c1075acec7021e383db79f2ed91d0e2afc58167591fed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4fe6755

Filesize
1.5MB

MD5
a236a0021216307b4d0c736fd8125db6

SHA1
07fe6108f7891f9cd482a7e3a819cfe5f442a3a0

SHA256
8b66f5a56f2f509989916ba71a7bf2c4a8fbd2f77c47e7f81c7eb8a9f09d494d

SHA512
6a37f60ec10ed529c2d353b83b9dad2b41237576cf91c90eeda6ea1f0089b09980d88ea2d709088f495915ac7b36276ce1d66ca45ab1029457ea888077c4e81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FE4962C-9719-4A3B-B8CF-E166BE333D1F}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\crashreporter.exe

Filesize
1.2MB

MD5
e69917fa99f750a6c4e19523c3f2014b

SHA1
4b0185f38b668d7332d411f4824de2d111b3e670

SHA256
51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834

SHA512
2f3b3f878fcae51a718d5ae2c12b4d98372c7aab46ed93cd567e66a1b45a96fb79ad66b7aaf0e9383905f46e4f639597af4914640d23596583057112d94a22c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\fantail.tiff

Filesize
35KB

MD5
129afd98abb9c8790d01fc5f5c03a46c

SHA1
e6b3340e024f76d04ba5e24e6570d3cc0d67f64d

SHA256
d381fb7645aa0553e122efd20d78a421c19de4123ba9f3e9080f9002aff473ee

SHA512
360a9b9348285446d7bbfbd79dfc99cd54e8bd59abd5a1e3cd83db2c2432dad484ed5807de464d9ab1ce606fa9512d9c6bf0e5c4958e2afcfc75d8f96007de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\jpeg8.dll

Filesize
684KB

MD5
e4e335ea9f7d5824a1aa3abcbc5f7dc9

SHA1
2c840163497d6db2ad9aa0cf92fe990d8b7f8074

SHA256
66c5fddaf6af0c0ecd0ce6923010c9d4f5eab184e6b6cb3f5453d405281366a4

SHA512
082550fe52adb0a1a25809484e95c02b175c63c8b03dc68655a331d2369c4b79276a4338571a605814862ede8a6673ad781ea3f0c9b5372e0df60f07b3205587

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\lib-strings.dll

Filesize
125KB

MD5
5ae0bda29f1387fbb266c12daea57d03

SHA1
154c999a371af12b80782e3012934f1f1edbf80b

SHA256
762620c3e241e8da462311bec8ae87c9a01089ac028f77384a8ea2ba3854dac1

SHA512
063cb0ab3a29c73be01fd07070e27613b185c0b67ede20f3df1e5c63a3e9ce2a9996eb7864e6f13e7088339d9dd162b2a19c44d4b761711051961424c9e49930

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\libpng16.dll

Filesize
216KB

MD5
7895937099678ccf369519179b223016

SHA1
d08fee6de6e04e9a6df35e64de0082d6dbd4ff6f

SHA256
c162ed44fe43320ebeea325eb25c6b33d5411dfba9a260d186ebcb95478ef13c

SHA512
e51c717529b289e4af7bfe0ff0036f2d17ebc21678d3f8231e976a07de1a1d03b6b183a7544a562cedbf609b188e707264ff38d4307755a9c5f5e4510eb6a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\msvcp140.dll

Filesize
439KB

MD5
4d157073a891d0832b9b05fb8aca73a8

SHA1
551efcdd93ecafc6b54ebb6f8f38c505d42d61ca

SHA256
718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263

SHA512
141563450e4cdf44315270360414f339fc3c96ebdaa46e28a1f673237c30f5e94e6da271db67547499c14dc3bd10e39767c3b6a2a3c9cec0a64a11f0263e0c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\utricle.sql

Filesize
1.3MB

MD5
f9afa3754fbf8a44670d517175b107cf

SHA1
72ae998f9d858c4f4385dcf824b8ac6895a05b7f

SHA256
92db5286adc620b6a2d151d7a2981923c1600a3b7b7a9a687934db7b3b6d6222

SHA512
c3c578c87f3316ad58aed25cf50dfd1b1f55ddbd62ce3728163ae169fb881c5f71db29ef1cbe8eea1ccb7242f30139f12f83209745ea72525fc0d496ff28dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\vcruntime140.dll

Filesize
88KB

MD5
e4ed441f0f6afb0d8d55af87900ec48f

SHA1
ac5bd77fd06ed29bebceb65371387555658870d9

SHA256
09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94

SHA512
dec6d693aa2d6c043ef8ae35f7f613cf9366aeb8a5903e8e0c54644f799262229b91953c65d39f8535ce464c75bf34b3b23ddb50a9fc5f171d36d6bfa1e4d7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\wxbase313u_vc_custom.dll

Filesize
3.3MB

MD5
fbe10d14b2a0b27fc8f228aa261ced38

SHA1
33bc390bc7088294ba4ad4db07a92a81743081e3

SHA256
9b52773e8cc7a1259cbd484528425bc4f0740f66eaa0b3b9e84d840e75fdfc40

SHA512
53078861a481b3655d5f8e346ddca035cf46111ea02dfceee65e6d9948003b5b5e4a95bcfbecea29ee1cf00293f01c8fa9576bbd84ac06447d91b21b92dc1862

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\wxmsw313u_core_vc_custom.dll

Filesize
9.2MB

MD5
4e6f4affac9e3241078e46d237b2dbf0

SHA1
1d19da4253c238bfb86a6142d39c6cee4562bd39

SHA256
dcf938002a46ca976e1166939baf54ebdf6031288c0d33f1857aae6929fdc39b

SHA512
b94cb411a7444d271fa97cac49a326f3ab06bc44529049c3c8879fc2a258e02358f483f20f5b8f7c96e8ca459bc9b72c155d2543bdba8c66d2005aba6225d6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D76AF13D-8C7C-4E31-9718-68504E4BEC32}\zlib1.dll

Filesize
109KB

MD5
dfd95d4f4160f0756f2898144ba9e300

SHA1
f6b426ce6f17255956637834105af3a403eda36c

SHA256
964cbd05e4e8cfc1ba7f1fa17625b1ce7e539e519f725f8cb7f2f342641bf03d

SHA512
d414ec8a53f972ef2fb5f2b94a4cf417ceefba9a09a4677de6c376f3a27e435cf57e8c997695971d6d99c4ef705eb803994426d3da81ef6061a276bd4b762d4f

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/2076-124-0x0000000073A10000-0x0000000073B8B000-memory.dmp

Filesize
1.5MB

Download
memory/2076-122-0x0000000073A10000-0x0000000073B8B000-memory.dmp

Filesize
1.5MB

Download
memory/2076-123-0x00007FFC2A8D0000-0x00007FFC2AAC5000-memory.dmp

Filesize
2.0MB

Download
memory/2732-77-0x0000000072B00000-0x0000000072C7B000-memory.dmp

Filesize
1.5MB

Download
memory/2732-78-0x00007FFC2A8D0000-0x00007FFC2AAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3276-129-0x0000000073A10000-0x0000000073B8B000-memory.dmp

Filesize
1.5MB

Download
memory/3276-127-0x00007FFC2A8D0000-0x00007FFC2AAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3580-39-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3580-44-0x0000000002F20000-0x00000000030E7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-138-0x0000000004EC0000-0x0000000005082000-memory.dmp

Filesize
1.8MB

Download
memory/3736-142-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/3736-148-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/3736-151-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3736-152-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/3736-141-0x00000000058A0000-0x00000000058BE000-memory.dmp

Filesize
120KB

Download
memory/3736-140-0x0000000005D80000-0x00000000062AC000-memory.dmp

Filesize
5.2MB

Download
memory/3736-139-0x0000000005220000-0x0000000005296000-memory.dmp

Filesize
472KB

Download
memory/3736-131-0x0000000072620000-0x0000000073874000-memory.dmp

Filesize
18.3MB

Download
memory/3736-137-0x0000000004BF0000-0x0000000004C40000-memory.dmp

Filesize
320KB

Download
memory/3736-136-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/3736-135-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/3736-134-0x00000000005A0000-0x0000000000674000-memory.dmp

Filesize
848KB

Download